Solved

DMZ Exchange client needs to log onto Exchange sitting on inside LAN

Posted on 2003-11-11
5
828 Views
Last Modified: 2010-04-09
I have a PIX 520 configured with three interfaces, inside, DMZ1 and outside.

The inside interface naturally routes off to my internal LAN where I've an Exchange 5.5 server handling Exchange client requests.  I've recently also purchased a new smtp relay server (ServerX) that I'm testing at the moment on the LAN and have now got it configured to restrict spam messages, as well as providing pass-through NTLM authentication for my users to relay should they want to use it whilst on the road etc with the Windows 2000 servers.

At the moment, I've got an old anti-spam server (ServerM) sitting on the DMZ, that's the MX record for the company, and (at the moment) that passes mail to ServerX which checks for spam, and then it, in turn, passes the mail to my Exchange server.

I'm going to be moving ServerX from the LAN to the DMZ and probably replacing ServerM with it, so my final set up will be ServerX (MX record) on DMZ checks for spam and relaying, if ok, passes mail to Exchange server on inside LAN.  In order to test this all out beforehand though, I have a dummy machine on the DMZ configured with the IP address that the relocated ServerX will be working on.

What I'm having major difficulties with is getting this dummy machine on the DMZ to authenticate with the LAN servers, and therefore with the Exchange service.  I need both.  

At this point in time I'm not sure how much config I should post etc, but I can supply a shortened version on request should it be deemed appropriate
0
Comment
Question by:davemonk
5 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 175 total points
ID: 9721406
Hi davemonk,
Knowledge Base  

XCCC: Exchange 2000 Windows 2000 Connectivity Through FirewallsPSS ID Number: 280132

Article Last Modified on 5/19/2003


--------------------------------------------------------------------------------
The information in this article applies to:


Microsoft Outlook Web Access 5.5 SP 1
Microsoft Outlook Web Access 5.5 SP 2
Microsoft Outlook Web Access 5.5 SP 3
Microsoft Exchange 2000 Server

--------------------------------------------------------------------------------

This article was previously published under Q280132
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry

SUMMARY
This article describes how to install Exchange 2000 Server and Outlook Web Access 5.5 on computers that are isolated from their Microsoft Windows 2000 networks by a firewall and are in a demilitarized zone (DMZ) Ethernet environment. Before any Exchange 2000 connectivity can be attempted, the firewall must be configured to allow Windows 2000 logon and networking traffic.

NOTE: This article discusses Windows 2000 traffic and connectivity only.
MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To install Exchange 2000 and Outlook Web Access 5.5 on computers that are isolated from their Microsoft Windows 2000 networks by a firewall and are in a demilitarized zone (DMZ) Ethernet environment:
Enable Windows 2000 Server-based computers to log on to the domain through the firewall by opening the following ports for inbound traffic:
53 (Transmission Control Protocol [TCP], User Datagram Protocol [UDP]) - Domain Name System (DNS).
80 (TCP) - Required for Outlook Web Access 5.5 access for communication between Exchange front-end and back-end servers.
88 (Transmission Control Protocol [TCP], UDP) - Kerberos authentication.
123 (TCP) - Windows Time Synchronization Protocol (NTP). Note that this is not necessary for Windows 2000 logon capability, but may be configured or required by the network administrator.
135 (TCP) - EndPointMapper.
389 (TCP, UDP) - Lightweight Directory Access Protocol (LDAP).
445 (TCP) - Server message block (SMB) for Netlogon, LDAP conversion and distributed file system (Dfs) discovery.
3268 (TCP) - LDAP to global catalog servers.
One port for the Active Directory logon and directory replication interface (universally unique identifiers [UUIDs] 12345678-1234-abcd-ef00-01234567cffb and e3514235-4b06-11d1-ab04-00c04fc2dcd2), which is typically assigned port 1025 or 1026 during startup. This value is not set in the DSProxy or System attendant (MAD) source code, so you must map the port in the registry on any domain controllers that the Exchange 2000 computer must contact through the firewall to process logons, and then open the port on the firewall.

To map the port in the registry:
Start Registry Editor (Regedt32.exe).
Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

On the Edit menu, click Add Value, and then add the following registry value:
Value Name: TCP/IP Port
Data Type: REG_DWORD
Radix: Decimal
Value: greater than 1024

Quit Registry Editor.
Make sure that the slash in "TCP/IP" is a forward slash, and that the value that you assign is greater than 1024, in decimal format. That number is the extra port that you need to open (TCP, UDP) on the firewall. Setting this registry value on every domain controller inside the firewall does not impact performance, and covers any logon request redirects that occur as a result of servers that are down, roles that change, or bandwidth needs.
NOTE: For the server inside the firewall to communicate back through the firewall to the external server, you also need to have ports 1024 through 65535 configured for outbound communications. Computers that initiate the communication through the firewall use a client-side port that is dynamically assigned and cannot be configured.
Install Exchange 2000 on the external computer. You do not need any additional ports open to install Exchange 2000 on the external computer.
Install Outlook Web Access 5.5 on the external computer. To install Outlook Web Access 5.5 on the external computer, directed at a Microsoft Exchange Server 5.5 computer that is running inside the DMZ and firewall, you need the Windows 2000 ports discussed previously, plus static mappings for the Exchange Server 5.5 directory service (UUID f5cc5a18-4264-101a-8c59-08002b2f8426), information store (UUID a4f1db00-ca47-1067-b31f-00dd010662da), and system attendant (UUID 469d6ec0-0d87-11ce-b13f-00aa003bac6c).For additional information about setting up these static mappings, click the article numbers below to view the articles in the Microsoft Knowledge Base:
155831 XADM: Setting TCP/IP Ports for Exchange and Outlook Client Connections Through a Firewall

245273 XWEB: OWA Setup Error Message: There Are No More Endpoints Available from the Endpoint Mapper

Configure Exchange 2000 front-end and back-end connectivity. Exchange 2000 front-end and back-end connectivity only requires that additional ports be open as needed for whatever communication is desired (for example, Web client front-end and back-end connectivity requires port 80 [TCP] open, IMAP 143 [TCP], and so on). Additionally, any connectivity by secure protocols such as IPSec or Secure Sockets Layer (SSL)-secured Hypertext Transfer Protocol (HTTP), Internet Message Access Protocol (IMAP), or Post Office Protocol version 3 (POP3) that you need requires additional configuration that is not specified in this article.

In a DMZ Ethernet environment, you also need to define TCP\IP routes from the computer in the DMZ Ethernet to every computer in the internal network that you need to communicate with.
Networking white papers are located at the following Web site:
http://www.lucentnps.com/knowledge/whitepapers/index.asp



Additional query words: FE BE DC AD OWA

Keywords: kbinfo KB280132
Technology: kbExchange2000Search kbExchange2000Serv kbExchange2000ServSearch kbExchangeSearch kbOutlookSearch kbOWA550 kbOWA550SP1 kbOWA550SP2 kbOWA550SP3



--------------------------------------------------------------------------------

Send feedback to Microsoft

© 2003 Microsoft Corporation. All rights reserved.


Cheers!
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 175 total points
ID: 9722494
One alternative on your pix is to create a specific host-host rule and not use nat
(assuming you are using acls not conduits)
DMZ host - 172.16.22.22
Exchange Host - 172.16.1.22

access-list nonat permit ip host 172.16.1.22 host 172.16.22.22
nat(inside) 0 access-list nonat
access-list dmz_inside permit ip host 172.16.22.22 host 172.16.1.22
access-group dmz_inside in interface dmz1

As Pete has shown, there are so many ports to open, it's like swiss cheese. Might as well make it simple and lock it down to specific hosts only, full IP.
Alternatively, you can use the full spectrum of ports in the acl, or create a group..
i.e.
access-list dmz_inside permit tcp host 172.16.22.22 host 172.16.1.22 eq 135
access-list dmz_inside permit tcp host 172.16.22.22 host 172.16.1.22 eq 445
access-list dmz_inside permit tcp host 172.16.22.22 host 172.16.1.22 eq 389
access-list dmz_inside permit tcp host 172.16.22.22 host 172.16.1.22 eq 88
access-list dmz_inside permit tcp host 172.16.22.22 host 172.16.1.22 eq 3268

Notice that in above you are not specifying source port on source host, only destination ports.
If you follow the KB article, you can lock down those source ports, and refine the access-list even more...


0
 

Author Comment

by:davemonk
ID: 9722914
Chaps,
Thanks for your replies here, but I'm wondering if the Exchange server and the Domain Controllers *have* to have public addresses?  I'm using NAT for both...

I have added specific hosts accessing the services as listed above - TBH, I hadn't tried full IP, host to host - but again, can I only do this with non-NAT'd addresses??
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10976455
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Split between PeteLong and lrmoore.

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now