Configure IT Quick: Configure Windows and Exchange 2000 through the firewall

by Michael "Mullins CCNA, MCP" | Jul 23, 2003 7:00:00 AM

Tags: TCP/IP, NETWORKING, E-mail servers, Servers, E-mail, Michael Mullins CCNA, MCP, Microsoft Windows, Microsoft Windows 2000 Server, information technology, TCP, server, Microsoft Exchange 2000 Server, Microsoft Exchange Server, DMZ, firewall

Takeaway: Find out how to make Windows 2000 and Exchange 2000 work through a firewall

Depending on your network architecture and your business process, it might be advantageous or even necessary to place your Exchange 2000 server in a demilitarized zone (DMZ). This provides a convenient solution for hosting both internal and external client mail services while denying direct connections between external clients and your internal network.

However, this sort of logical design can wreck your current security configuration if you don't know exactly what ports and protocols need to be opened and in what direction they need to flow. The procedure to allow this communication is fairly straightforward, but you must remember that there are two pieces to this puzzle:

• The Windows 2000 server has to communicate through your firewall with your domain controller to authenticate and validate the client requests for e-mail services.
• The clients must be able to communicate with the Exchange 2000 server now residing in your DMZ.

Windows 2000 through the firewall
You need to allow a number of ports and protocols into your domain from the Exchange server, including:

• UDP/TCP 53 (DNS)
• UDP/TCP 88 (Kerberos authentication)
• TCP 123 (Network Time Protocol—NTP) This is necessary only to synchronize the time of the Exchange server with your internal network, which is required for Kerberos authentication.
• TCP 135 (DEC Endpoint Resolution, also known as RPC Endpoint Mapper)
• UDP/TCP 389 (LDAP Access)
• TCP 445 (Microsoft Directory Service)
• TCP 3268 (LDAP to global catalog servers)

In addition, you'll need to allow one high port for Active Directory logon and directory replication. This TCP port is dynamically selected when the server starts, but you can statically map it via the registry by adding or changing a registry key.

---

Important note
Editing the registry is risky, so make sure you have a verified backup before making any of these changes.

---

Open the Registry Editor (Regedt32.exe), go to the following key, and make the settings shown below:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Value Name: TCP/IP Port
Data Type: REG_DWORD
Radix: Decimal
Value: Select an unused port greater than 1024

Don't forget to allow the high ports (TCP greater than 1024) from your internal servers to the DMZ Windows 2000 Exchange server. Finally, you'll need to open TCP 25 (SMTP) inbound/outbound from the Exchange server to the Internet for e-mail traffic to and from other e-mail servers.

Now that the Windows 2000 server can receive e-mail and communicate with your internal network, you need to allow Exchange clients to access this server through your firewall.

Clients through the firewall
Exchange 2000 supports an assortment of client access types, including MAPI, IMAP, POP3, and Web. As an example, I'll show you how to configure MAPI. When accessing Microsoft Exchange, MAPI is the client access protocol of choice for communication between e-mail client and server.

To allow e-mail clients full access to this server, you'll need to open four ports through the firewall to your DMZ Windows 2000 Exchange server. The first of the four ports is TCP 135 (RPC Endpoint Mapper).

Three other ports are used for MAPI client communication to the Exchange server. Although these ports are normally random high ports, we're going to statically assign them through two registry keys to avoid a security nightmare. Open the Registry Editor (Regedt32.exe), and make the following changes to the keys shown below.

Key 1HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\
Parameters

Microsoft Exchange System Attendant Request For Response (SA RFR) Interface:

Name: TCP/IP port
Value: REG_DWORD
Data Value: Select an unused port greater than 1024

Microsoft Exchange Directory Name Service Provider Interface (NSPI) Proxy Interface:

Name: TCP/IP NSPI port
Value: REG_DWORD
Data Value: Select an unused port greater than 1024

Key 2HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\
ParametersSystem

Microsoft Exchange Information Store Interface:

Name: TCP/IP port
Type: REG_DWORD
Data Value: Select an unused port greater than 1024

With these ports open to your DMZ Windows 2000 Exchange server, your internal or external clients will have full access to their mailbox through their Outlook client.

End sum
Sometimes, a business process can drive your network structure and security architecture to the edge of insecurity. However, providing secure access to and from a Windows 2000 Exchange server that resides in your DMZ is pretty simple and straightforward. The harder part is keeping up with the patches.

This article originally appeared in the Security Solutions e-newsletter.

 

Print/View all Posts Comments on this article

Or Postfix relay grephead | 07/30/03

Where to place OWA roccadeer | 09/15/03

OWA goes here rstryker@... | 09/15/03

Other way? (smtp connector) jzoupas@... | 02/02/04

Yikes! Why are you not using VPN georgeou | 08/01/03

VPN client? ELSmith | 08/04/03

VPN Client to the Inside J_vanGulik | 09/15/03

E2K in the DMZ with all those ports open??? jschwartz@... | 09/16/03

Open 135? robw@... | 09/29/03

His idea will not work Eric9 | 02/02/04