| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 997.1 | From the Exchange server resource guide | tunsrv2-tunnel.imc.das.dec.com::foster | Stan Foster - [email protected] | Fri Apr 11 1997 03:24 | 42 |
| Configuring a Firewall to Allow RPC Communication
In order for Microsoft Exchange Client computers to access Microsoft Exchange Server computers
remotely over the Internet, the clients and servers must be able to communicate using RPCs. If
you are not using an Internet firewall, RPC communication is enabled by default. This
configuration is risky because an attacker can gain access to the server and potentially
compromise the security of Microsoft Exchange Server resources such as mailboxes and public
folders.
If you are using a firewall to increase your system�s security, you may need to configure the
firewall to allow RPC communication. Some Internet firewalls do not accept TCP/IP port numbers
that Microsoft Exchange Server uses for RPC communication. To solve this problem, you should
add port 135 to your firewall and configure Microsoft Exchange Server to use the same ports as
your firewall.
To configure Microsoft Exchange Server, you should set two unique port numbers, one for the
information store and one for the directory. The registry value TCP/IP Port controls this
setting. This DWORD value is a 16-bit number that you set for the port that the firewall will
accept.
For the directory, you can modify the port numbers in the following registry location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDS\Parameters\TCP/IP Port
For the information store, you can modify the port number in the following registry location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem\TCP/IP Port
If you are using a packet filter, you must configure it to allow TCP connections to these ports
in addition to port 135 (for the RPC End-Point Mapper service) on the Microsoft Exchange Server
computer.
To add TCP/IP port numbers
1. In the Windows NT registry, select one of the following keys:
� HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ MSExchangeDS\Parameters
� HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ MSExchangeIS\ParametersSystem
2. From the Edit menu, select Add Key.
3. In Key Name, type TCP/IP Port, and choose OK.
4. Select the new TCP/IP Port key, and select Add Value from the Edit menu.
5. In Value Name, type TCP/IP Port. In Data Type, select REG_DWORD, and choose OK.
6. In Data, type the number of the port that the firewall will accept.
|
| 997.2 | set wrap 80 | LEXSS1::PUCHRIK | Field Rat | Fri Apr 11 1997 10:31 | 62 |
| <<< CHEFS::DISK$ALL_IN_1:[NOTES$LIBRARY]MS-EXCHANGE.NOTE;10 >>>
-< Microsoft Exchange Server >-
================================================================================
Note 997.1 Exchange and Wingate (and ports used by Exchange) 1 of 1
tunsrv2-tunnel.imc.das.dec.com::foster "Stan Foster" 42 lines 11-APR-1997 02:24
-< From the Exchange server resource guide >-
--------------------------------------------------------------------------------
Configuring a Firewall to Allow RPC Communication
In order for Microsoft Exchange Client computers to access Microsoft Exchange
Server computers remotely over the Internet, the clients and servers must be
able to communicate using RPCs. If you are not using an Internet firewall,
RPC communication is enabled by default. This configuration is risky because
an attacker can gain access to the server and potentially compromise the
security of Microsoft Exchange Server resources such as mailboxes and public
folders.
If you are using a firewall to increase your system�s security, you may
need to configure the firewall to allow RPC communication. Some Internet
firewalls do not accept TCP/IP port numbers that Microsoft Exchange Server
uses for RPC communication. To solve this problem, you should add port 135
to your firewall and configure Microsoft Exchange Server to use the same ports
as your firewall.
To configure Microsoft Exchange Server, you should set two unique port numbers,
one for the information store and one for the directory. The registry value
TCP/IP Port controls this setting. This DWORD value is a 16-bit number that
you set for the port that the firewall will accept. For the directory, you
can modify the port numbers in the following registry location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDS\
Parameters\TCP/IP Port
For the information store, you can modify the port number in the following
registry location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\
ParametersSystem\TCP/IP Port
If you are using a packet filter, you must configure it to allow TCP
connections to these ports in addition to port 135 (for the RPC End-Point
Mapper service) on the Microsoft Exchange Server computer. To add TCP/IP
port numbers
1. In the Windows NT registry, select one of the following keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDS\
Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\
ParametersSystem
2. From the Edit menu, select Add Key.
3. In Key Name, type TCP/IP Port, and choose OK.
4. Select the new TCP/IP Port key, and select Add Value from the Edit menu.
5. In Value Name, type TCP/IP Port. In Data Type, select REG_DWORD, and choose OK.
6. In Data, type the number of the port that the firewall will accept.
|
| 997.3 | I got it to work (at least for now) | ROCK::PRESTON | Dirty Logic Motto -- Issue Early, Issue Often | Thu May 01 1997 04:27 | 23 |
|
I was successful in getting my home network (2PCs, 1 modem using WinGate as
the firewall/server through the modem) to attach to the Digital MS-Exchange
server that my wife uses.
Following the .2 reply I mapped port 135 but I didn't have valid maps for the
two services that Exchange uses (the second part of .2). I got it to work
by watching a direct connection from the WinGate pc to the exchange server
and copying down the port #s that were being used, then I created two more
maps for those.
I believe that there are two ways these ports can be assigned:
a) dynamically at the boot of the server
b) statically via the registry edits suggested in .2
Does anybody know if the digital exchange servers use a) or b). It would
seem that if the port numbers change in the future that I've only temporarily
solved my problem.
/ron
|
| 997.4 | Not sure but probably the default | tunsrv2-tunnel.imc.das.dec.com::foster | Stan Foster - [email protected] | Thu May 01 1997 04:53 | 7 |
| I dont think there has been any special configuration for the servers
so they use the default dynamic port assignment.
This configuration is much simpler if you are tunneling in via an
ISP. That way you can just proxy the one tunnel firewall port (6666
in my case) and then let all your net 16 packets go down the tunnel
and not worry about proxying each RPC ports at all.
|
| 997.5 | Dynamic | RDGENG::COBB | Graham R. Cobb (Telecom PSC), REO1-F8, 830-3917 | Thu May 01 1997 11:36 | 15 |
| I have also got exchange working through Wingate to the REOEXC2 server.
This feature (which I had with TeamLinks) is critical for me.
Unfortunately, the port assignment is dynamic. I have seen the following
pairs of ports: 1031/1047, 1033/1048, 1038/1071.
It takes me about half an hour each time I work at home to get this set up.
I tend to just start Exchange hoping the ports are the same as the last time
and hence it will just work. Then I use netstat to watch what ports are
being attempted. Then I reboot because exchange has hung because I left it
too long. A couple of attempts later I get the right pair of ports set up!
Anyone know who I would have to contact to get fixed numbers set up on
REOEXC2?
Graham
|
| 997.6 | Why dynamic ports in the first place ? | tunsrv2-tunnel.imc.das.dec.com::foster | Stan Foster - [email protected] | Fri May 02 1997 04:41 | 11 |
| Before we do any major lobbying with the people that manage the
production servers I'd like to understand more about why Exchanage
uses dynamic port assignments for the client connections rather than
fixed ports and what will the consequences be if they are hard-wired
on the server. They must have done it this way for a reason. If we
cant give satisfactory answers to these questions we will get
nowhere. I'm also curious how the client ever connects at all. There
must be some negotiation happening over a pre-assigned port in order
to bootstrap this process.
Any offers ?.
|
| 997.7 | Port 135 is used for the negotiation | ROCK::PRESTON | Dirty Logic Motto -- Issue Early, Issue Often | Fri May 02 1997 19:26 | 21 |
|
I don't pretend to understand any of the "theory" behind how exchange
is setup. However, it seems that on startup of a client Port 135 is used
to initiate the sessions and the server responds to the client with 2 new port
numbers using the port 135 path. I'm guessing that the system is stable on a
set of port#s until the server reboots when two new numbers may be picked.
Another problem is that if my understanding is right, two different servers
won't have the same assignments. That would appear to mean that when they
migrate me to exchange, I'll need to two mapping proxies for my account through
my wingate firewall and two possibly different ones for my wife who's exchange
account is on another server.
Complicating matters more, if we standardized on two consistent numbers then I'd
probably be outta-luck with Wingate as the mapping proxy takes a port# from the
client and maps it to both a port# and a specific NODE.
Life was much simpler with vax mail
/ron
|