Exchange server 2007 setup question, which ports

I'm new to Exchange Server 2007.
Is it safe to allow access using "Exchange Server" access method in Outlook (not pop3) from the Internet?
Which ports need to be open for this to work?
LVL 10
rj2Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SembeeConnect With a Mentor Commented:
The only secure way is to use Outlook Anywhere. That runs over port 443. Any other method almost certainly NOT work as the ports are blocked by most ISPs.

Simon.
0
 
ATIGConnect With a Mentor Commented:
For remote access to your Exchange server via Outlook Outlook Anywhere (formerly rpc/https) would be your access method of choice.

All  you need to deploy this would be a valid SSL Certificate and port 443 (https) open.

1.The configuration is a simple as installing the rpc proxy service on the CAS server
2. Install the certificate
3.  Enable OL anywhere

If you will be using Ol 2007 then you also need to read my blog on autodiscover, which is a wonder feature so assist with Ol configuration.
0
 
rj2Author Commented:
What is a CAS server?

I found some information about Outlook Anywhere here: http://office.microsoft.com/en-us/outlook/HP101024441033.aspx 

This links mentions "proxy server for Exchange". What is that?
Do I need to buy a valid certficate to get this to work or can I use a self-signed certificate?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
ATIGCommented:
Oh my.... if you are not familar with the Exchange 2007 roles, then I HIGHLY recommend you go out and purchase Mastering Exchange 2007 first http://www.amazon.com/Mastering-Microsoft-Exchange-Server-2007/dp/0470042893

before you work on the server
0
 
SembeeCommented:
The Outlook Anywhere section of that book is very good... *

Simon

* Disclaimer - I wrote that chapter.
0
 
ATIGCommented:
hehe... I was gonna say thats cause you wrote it :P ........

I just finished editing the follow up should be out in the next few months
0
 
rj2Author Commented:
ATIG:
OK, so CAS is client access server, huh?
RTFM answers are not very helpful you know. Furthermore, this forum is about helping people, not insulting them.  That someone asks what a CAS server is does not mean that someone does not know anything about Exchange server roles. CAS is not a common three letter word. When you google for CAS you don't get client access server high in the list.
You did not answer what a proxy server for Exchange is. And you did not answer if I need to buy a valid certficate to get this to work.
You were problably too busy saying RTFM and advertising for your blog.
0
 
SembeeCommented:
This is a very technical forum.
A basic understanding of Exchange is expected, which includes the standard acronyms. Even Microsoft use the acronyms in most of their content - CAS, Hub, Edge, ESM, EMC, EMS. If you are new to Exchange 2007 then getting hold of a book will be of benefit.
If you Google CAS Exchange then it quickly becomes apparent what it is. I agree that CAS on its own will not show you much, but then I wouldn't Google CAS alone because it is too generic.

Also consider that many of the questions asked are asked time and time again. No one likes to repeat themselves, so if the content is written elsewhere then you will be pointed at those.

Finally remember that everyone who answers your questions volunteers - you may have paid for access, but we (Experts) do not get paid to give the answers.

It would appear that you have looked at this from the client side, as the link you have pointed to is on the Office web site. If you look on the Technet site or download the latest help file for Exchange 2007, you will get a lot more information about configuring the server.

While you can use a home grown certificate, I would not recommend it. You have serious issues with trust. You can now get the preferred SSL certificate solution, a certificate type known as SAN (subject alternative name) also known as UCC - Unified Communications Certificate - for US$60 from GoDaddy. That will allow you to have a certificate that covers the eventualities for the deployment, which are discussed on the blog posting above, and in Microsoft's documentation.

Simon.
0
 
ATIGCommented:
An insult was not my intention however if you dont have a basic understanding of Exchange 2007 then I would not want you to start manipulating settings when you are not that familar with the product, because more harm can be done than good.

When you are asking a question related to Exchange 2007 "CAS" is a common term since its one of the roles a server can hold. An since I recommended an Exchange book that term I referenced was related to Exchange.

Recommending a book for reference and assitance is a good thing because it can teach you a lot more about the product and has tons of useful information.

The reason I started writing a blog was because I was answering the same questions over and over again and its easier to type it up and reference a link than retype. My blog on autodiscover will come to 20 pages in a word document, I dont have time to write 20 pages to explain autodiscover everytime I see it come up.

Referencing locations with answers is how things are done!



0
 
rj2Author Commented:
ok, I got access to this book and others through books24x7.com. I might buy a paper copy too.
Books are generally great resources :-)

Status for me now is that the Exchange Server is up and running.
Connecting to exchange server with IE works both inside and outside the firewall. (https://servername/owa)
But connecting to the exchange server with Outlook only work inside the firewall.
I have configured Outlook according to
http://office.microsoft.com/en-us/outlook/HP101024441033.aspx 
When I run Outlook inside the firewall and reads mail and run netstat after I get the following output:
10.0.0.10 is DC, 10.0.0.11 is Exchange server. I don't see any port 443 here.
Any ideas what could be wrong or what I should read to fix it?

E:\Documents and Settings\testuser>netstat

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    client1:1102         10.0.0.11:epmap         TIME_WAIT
  TCP    client1:1103         10.0.0.11:1063          TIME_WAIT
  TCP    client1:1104         10.0.0.10:epmap         TIME_WAIT
  TCP    client1:1105         10.0.0.10:1025          ESTABLISHED
  TCP    client1:1107         10.0.0.11:epmap         ESTABLISHED
  TCP    client1:1108         10.0.0.11:1073          ESTABLISHED
  TCP    client1:1110         10.0.0.11:1073          ESTABLISHED
0
 
rj2Author Commented:
I am reading chapter 19 in "Mastering Microsoft Exchange Server 2007" right now, looks good :-)
0
 
rj2Author Commented:
Chapter 19 in the book says "Outlook cannot cope with any SSL certificate prompts.", that is probably the problem for me. I get such a prompt when using IE. I will buy a valid certificate and get back to you.
0
 
rj2Author Commented:
I tried to generate certificate request file but I get error from both Thawte and RadidSSL "invalid country code" when I try to buy certificate.
The EMS command shown below, from chapter 20 in "Mastering Exchange server 2007" (I dropped the ou=part"

New-ExchangeCertificate -GenerateRequest -SubjectName
"o=My Company, cn=exchange.mycompany.se" -domainname exchange,
exchange.mycompany.local,autodiscover.mycompany.se
-path c:\CertReq.txt
0
 
rj2Author Commented:
Followed instructions from here http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html
, looks like neither Thawte nor RapidSSL accepted that c= was missing from subjectname
Thawte wanted also ST=state/province
0
 
rj2Author Commented:
Thawte SSL123 certificate will work with Exchange server for Outlook anywhere?
https://www.thawte.com/process/retail/new_ssl123?language=en&productInfo.productType=fssl2

According to http://forums.devshed.com/security-and-cryptography-17/godaddy-ssl-problem-not-trusted-authority-in-ff-328782.html
there might be issues with GoDaddy certificates, or is this fixed now?
0
 
rj2Author Commented:
Sample using GoDaddy certificate here:
https://www.praxishosting.com/
I get certificate error in both IE7 and Firefox
0
 
SembeeCommented:
For the certificate request, use this web page to generate the command:
https://www.digicert.com/easy-csr/exchange2007.htm
Digicert also issue the certificates, but you can use GoDaddy instead. They are just generating the PowerShell line.

I did a quick test and they generated this for my "server" (false information obviously)

New-ExchangeCertificate -GenerateRequest -Path c:\exch-server_domain_com.csr -KeySize 1024 -SubjectName "c=GB, s=State, l=City, o=Domain Inc, ou=IT Services, cn=exch-server.domain.com" -DomainName autodiscover.domain.com, mail.domain.com -PrivateKeyExportable $True

The issues with GoDaddy SSL certificates are quite simple - the users haven't put all of the root and the intermediate certificates in correctly. I too get an error on the URL you have posted, but looking at the certificate path I can see it has been done incorrectly. GoDaddy support will quickly identify this if you contact them.

Simon.
0
 
ATIGCommented:
now that I am playing catch up after my travel, did you get a public cert or are you using a private cert?
If the client cannot chain the cert you get the prompts....

0
 
rj2Author Commented:
I was planning on buying a public cert, but I have not bought it yet.
Is it possible to make Outlook Anywhere work with a private cert? If yes, how do I do that?
0
 
ATIGCommented:
Yes..... you just need to load the root cert on the client

If you setup an MS CA  and installed the web component then you can browse to the http://server/certsrv and there will be an option to download the root cert.

install that on the client and you will be good to go..

make sure the cert name matches you public url i.e mail.X.y
0
 
rj2Author Commented:
ok, I have received the cert from GoDddy now and it seems to be working alright.
I can access https://myserver/owa without certificate error with IE from both inside and outside firewall.
But I still can't make Outlook Anywhere work. I have installed the Windows RPC over HTTP Proxy component and enabled Outlook anywhere using the exchange console according to http://technet.microsoft.com/en-us/library/bb123889.aspx.
 And I have setup Outlook according to
http://office.microsoft.com/en-us/outlook/HP101024441033.aspx. But when I start Outlook and it asks me about username/password Outlook never accepts my answer even if using the same credentials using owa works fine.
Ideas anyone?
0
 
SembeeCommented:
That is usually an authentication mismatch.
Which setting did you put in to Exchange when you configured it for authentication?
If you set it as basic then you need to set basic on the client, if integrated in Exchange then you need to set NTLM in Outlook.

Simon.
0
 
rj2Author Commented:
Hi, I have same authentication on both Exchange and Outlook. tried first with NTLM both places but could not connect outside firewall. Then tried to change to basic in both Exchange and and Outlook but still can't connect outside firewall.
Are there any debugging features or logging in Exchange server or Outlook that can tell me what is going wrong? The Exchange have the same name both inside and outside firewall. Inside firewall I use internal DNS.
When I run netstat I sometimes see connection on port 443 when I try to setup the new account but more often I see that outlook tries to connect on port 135 even if I have clicked for "connect using http"
0
 
rj2Author Commented:
http://www.petri.co.il/testing_rpc_over_http_connection.htm also reports that "I found out that for some reason, local area connections to the Exchange server tend to use regular RPC connections (i.e. TCP/IP) rather than RPC over HTTP/S", that is the same that I see.
0
 
rj2Author Commented:
When testing inside firewall I discovered the following:
The exchange server is in the internal domain mycompany.local instead of mycompany.com because we wanted to avoid problem if a server had name mycompany.com but was placed outside our LAN.
The certificate is granted to hostname.mycompany.com.
When configuring Outlook to use https and pressing "Check name" hostname.mycompany.com is replaced with hostname.mycompany.local. Outlook 2007 complains about certificate mismatch when connecting through https, but from inside firewall I am able to connect.
In the certificate request I listed hostname.mycompany.local as alias but looks like GoDaddy did not add this to the certificate.
Could this be issue outside the firewall? What should I do to fix it?
0
 
rj2Author Commented:
I have used the hostname "hostname.mycompany.com" in the Outlook anywhere configuration, this matches the certificate. I have an internal DNS that resolves hostnamame.mycompany.com to the internal address 10.x.x.x /we use NAT inside firewall)
0
 
rj2Author Commented:
Could this be why I can't autenticate from outside firewall?
What should I do now to make Outook Anywhere work?
0
 
rj2Author Commented:
When using hostname "hostname.mycompany.local" as the exchange server hostname and adding this name to the local hosts file I was able to connect using https from outside the firewall, so I guess this was the issue.
But what should I do make this work both inside and outside firewall?
I would be a major hassle to have to manually edit the hosts file depending if you're inside or outside the firewall.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.