kentern
asked on
Controlling Exchange 2010 port usage + some mythbusting
Hello,
We've recently set up an Exchange 2010 server. Exchange has a lot of documentation on what ports must be opened, but some ports (which seem to be dynamic) that are blocked when users connect via VPN are not covered by any documentation I have found so far.
Is there some simple way to tell Exchange 2010: I want you to use port X, Y and Z, and nothing else - ever? And can this be done without sending a 10-page e-mail to all users telling them how to configure their system?
We've also experimented with Outlook Anywhere. This works with VPN (and without) - nothing blocked.
Can anyone confirm/bust the following myths?
Myth #1: Using Outlook Anywhere on a portable (or desktop) computer that connects both to LAN and WAN, makes Outlook a lot slower, especially when on LAN.
Myth #2: Using Outlook Anywhere increases the load on the server.
Myth #3: Outlook Anywhere is a huge security risk
My big dream as the firewall admin in the house, is of course a solution that uses only one port and runs fast, and requires no manual changes on the user side :)
This again leads to the final question:
What is the best way to make all clients use Outlook Anywhere without sending the before mentioned 10-page email with pictures explaining where to click and what to type? Group Policy or can this be set somewhere on the Exchange server? (http is checked by default on most clients for some reason, but we need to check the "use http on fast networks" on all clients to make Outlook Anywhere work.
We've recently set up an Exchange 2010 server. Exchange has a lot of documentation on what ports must be opened, but some ports (which seem to be dynamic) that are blocked when users connect via VPN are not covered by any documentation I have found so far.
Is there some simple way to tell Exchange 2010: I want you to use port X, Y and Z, and nothing else - ever? And can this be done without sending a 10-page e-mail to all users telling them how to configure their system?
We've also experimented with Outlook Anywhere. This works with VPN (and without) - nothing blocked.
Can anyone confirm/bust the following myths?
Myth #1: Using Outlook Anywhere on a portable (or desktop) computer that connects both to LAN and WAN, makes Outlook a lot slower, especially when on LAN.
Myth #2: Using Outlook Anywhere increases the load on the server.
Myth #3: Outlook Anywhere is a huge security risk
My big dream as the firewall admin in the house, is of course a solution that uses only one port and runs fast, and requires no manual changes on the user side :)
This again leads to the final question:
What is the best way to make all clients use Outlook Anywhere without sending the before mentioned 10-page email with pictures explaining where to click and what to type? Group Policy or can this be set somewhere on the Exchange server? (http is checked by default on most clients for some reason, but we need to check the "use http on fast networks" on all clients to make Outlook Anywhere work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We've tested this a bit now - but it only works if the "in fast networks first connect via HTTP, then TCP/IP" is checked (translated from Norwegian - it's probably not 100% correct). We haven't found anywhere in Autodiscover to configure this option. Do you know if this can be set somewhere on the Exchange server?
EndureKona:1# Busted...when at the LAN location Outlook Anywhere is not used.
"True", after what I have read, but it is not true if you have enable "on fast networks, connect using http first, then connect using TCP/IP", in Outlook Anywhere. I'm not sure this is correct.
Therefore, myth 4:
At the office (internal LAN) you will use Outlook Anywhere if the following is enable in Outlook Anywhere: ”on fast networks, connect using http first, then connect using TCP/IP”
btw: what is needed for tcp / ip to work outside the office with Outlook Anywhere?
"True", after what I have read, but it is not true if you have enable "on fast networks, connect using http first, then connect using TCP/IP", in Outlook Anywhere. I'm not sure this is correct.
Therefore, myth 4:
At the office (internal LAN) you will use Outlook Anywhere if the following is enable in Outlook Anywhere: ”on fast networks, connect using http first, then connect using TCP/IP”
btw: what is needed for tcp / ip to work outside the office with Outlook Anywhere?
ASKER
And an additional question to myth #4: Does it really matter if you use Outlook Anywhere at the office as well as at home?
If it isn't slower, doesn't increase server load and is just as safe as any other methods of using Outlook/Exchange - why would anyone use anything else?
If it isn't slower, doesn't increase server load and is just as safe as any other methods of using Outlook/Exchange - why would anyone use anything else?
Myth 4: It does not matter, however the load increase probably is related de the SSL operations in the server, however still are not bad at all.
You probably have most of your Outlook Anywhere people running at night as the will be working with the office which uses usual RPC/MAPI.
You probably have most of your Outlook Anywhere people running at night as the will be working with the office which uses usual RPC/MAPI.
ASKER
Summing up what we've got so far:
SSL is safe, and does not increase server load significantly. Settings for using this can be set in autodiscover.
For this to work, "on fast networks, connect using http first, then connect using TCP/IP" must be enabled for some reason (one googled result says everything above 128kbit is considered a fast network?). According to EndureKona this will not affect LAN operation, but NM_149 thinks this may be incorrect.
Q1: Can anyone confirm who is right, and if it matters at all if we use http(s) even on our LAN?
Q2: If it doesn't affect neither security nor performance - why isn't everything done over HTTP? Backwards compatibility?
Running everything over http would sure tighten quite a lot of firewalls, vpns and wans all over the world...
SSL is safe, and does not increase server load significantly. Settings for using this can be set in autodiscover.
For this to work, "on fast networks, connect using http first, then connect using TCP/IP" must be enabled for some reason (one googled result says everything above 128kbit is considered a fast network?). According to EndureKona this will not affect LAN operation, but NM_149 thinks this may be incorrect.
Q1: Can anyone confirm who is right, and if it matters at all if we use http(s) even on our LAN?
Q2: If it doesn't affect neither security nor performance - why isn't everything done over HTTP? Backwards compatibility?
Running everything over http would sure tighten quite a lot of firewalls, vpns and wans all over the world...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will try to set this in Autodiscover and return with results and points when it has been tested.