Solved

Exchange server 2007 setup question, which ports

Posted on 2007-11-21
29
1,697 Views
Last Modified: 2008-03-10
I'm new to Exchange Server 2007.
Is it safe to allow access using "Exchange Server" access method in Outlook (not pop3) from the Internet?
Which ports need to be open for this to work?
0
Comment
Question by:rj2
  • 18
  • 6
  • 5
29 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 20327242
The only secure way is to use Outlook Anywhere. That runs over port 443. Any other method almost certainly NOT work as the ports are blocked by most ISPs.

Simon.
0
 
LVL 22

Assisted Solution

by:ATIG
ATIG earned 125 total points
ID: 20327515
For remote access to your Exchange server via Outlook Outlook Anywhere (formerly rpc/https) would be your access method of choice.

All  you need to deploy this would be a valid SSL Certificate and port 443 (https) open.

1.The configuration is a simple as installing the rpc proxy service on the CAS server
2. Install the certificate
3.  Enable OL anywhere

If you will be using Ol 2007 then you also need to read my blog on autodiscover, which is a wonder feature so assist with Ol configuration.
0
 
LVL 10

Author Comment

by:rj2
ID: 20327639
What is a CAS server?

I found some information about Outlook Anywhere here: http://office.microsoft.com/en-us/outlook/HP101024441033.aspx

This links mentions "proxy server for Exchange". What is that?
Do I need to buy a valid certficate to get this to work or can I use a self-signed certificate?
0
 
LVL 22

Expert Comment

by:ATIG
ID: 20328876
Oh my.... if you are not familar with the Exchange 2007 roles, then I HIGHLY recommend you go out and purchase Mastering Exchange 2007 first http://www.amazon.com/Mastering-Microsoft-Exchange-Server-2007/dp/0470042893

before you work on the server
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20329140
The Outlook Anywhere section of that book is very good... *

Simon

* Disclaimer - I wrote that chapter.
0
 
LVL 22

Expert Comment

by:ATIG
ID: 20329172
hehe... I was gonna say thats cause you wrote it :P ........

I just finished editing the follow up should be out in the next few months
0
 
LVL 10

Author Comment

by:rj2
ID: 20329994
ATIG:
OK, so CAS is client access server, huh?
RTFM answers are not very helpful you know. Furthermore, this forum is about helping people, not insulting them.  That someone asks what a CAS server is does not mean that someone does not know anything about Exchange server roles. CAS is not a common three letter word. When you google for CAS you don't get client access server high in the list.
You did not answer what a proxy server for Exchange is. And you did not answer if I need to buy a valid certficate to get this to work.
You were problably too busy saying RTFM and advertising for your blog.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20330205
This is a very technical forum.
A basic understanding of Exchange is expected, which includes the standard acronyms. Even Microsoft use the acronyms in most of their content - CAS, Hub, Edge, ESM, EMC, EMS. If you are new to Exchange 2007 then getting hold of a book will be of benefit.
If you Google CAS Exchange then it quickly becomes apparent what it is. I agree that CAS on its own will not show you much, but then I wouldn't Google CAS alone because it is too generic.

Also consider that many of the questions asked are asked time and time again. No one likes to repeat themselves, so if the content is written elsewhere then you will be pointed at those.

Finally remember that everyone who answers your questions volunteers - you may have paid for access, but we (Experts) do not get paid to give the answers.

It would appear that you have looked at this from the client side, as the link you have pointed to is on the Office web site. If you look on the Technet site or download the latest help file for Exchange 2007, you will get a lot more information about configuring the server.

While you can use a home grown certificate, I would not recommend it. You have serious issues with trust. You can now get the preferred SSL certificate solution, a certificate type known as SAN (subject alternative name) also known as UCC - Unified Communications Certificate - for US$60 from GoDaddy. That will allow you to have a certificate that covers the eventualities for the deployment, which are discussed on the blog posting above, and in Microsoft's documentation.

Simon.
0
 
LVL 22

Expert Comment

by:ATIG
ID: 20331035
An insult was not my intention however if you dont have a basic understanding of Exchange 2007 then I would not want you to start manipulating settings when you are not that familar with the product, because more harm can be done than good.

When you are asking a question related to Exchange 2007 "CAS" is a common term since its one of the roles a server can hold. An since I recommended an Exchange book that term I referenced was related to Exchange.

Recommending a book for reference and assitance is a good thing because it can teach you a lot more about the product and has tons of useful information.

The reason I started writing a blog was because I was answering the same questions over and over again and its easier to type it up and reference a link than retype. My blog on autodiscover will come to 20 pages in a word document, I dont have time to write 20 pages to explain autodiscover everytime I see it come up.

Referencing locations with answers is how things are done!



0
 
LVL 10

Author Comment

by:rj2
ID: 20333309
ok, I got access to this book and others through books24x7.com. I might buy a paper copy too.
Books are generally great resources :-)

Status for me now is that the Exchange Server is up and running.
Connecting to exchange server with IE works both inside and outside the firewall. (https://servername/owa)
But connecting to the exchange server with Outlook only work inside the firewall.
I have configured Outlook according to
http://office.microsoft.com/en-us/outlook/HP101024441033.aspx
When I run Outlook inside the firewall and reads mail and run netstat after I get the following output:
10.0.0.10 is DC, 10.0.0.11 is Exchange server. I don't see any port 443 here.
Any ideas what could be wrong or what I should read to fix it?

E:\Documents and Settings\testuser>netstat

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    client1:1102         10.0.0.11:epmap         TIME_WAIT
  TCP    client1:1103         10.0.0.11:1063          TIME_WAIT
  TCP    client1:1104         10.0.0.10:epmap         TIME_WAIT
  TCP    client1:1105         10.0.0.10:1025          ESTABLISHED
  TCP    client1:1107         10.0.0.11:epmap         ESTABLISHED
  TCP    client1:1108         10.0.0.11:1073          ESTABLISHED
  TCP    client1:1110         10.0.0.11:1073          ESTABLISHED
0
 
LVL 10

Author Comment

by:rj2
ID: 20333335
I am reading chapter 19 in "Mastering Microsoft Exchange Server 2007" right now, looks good :-)
0
 
LVL 10

Author Comment

by:rj2
ID: 20333362
Chapter 19 in the book says "Outlook cannot cope with any SSL certificate prompts.", that is probably the problem for me. I get such a prompt when using IE. I will buy a valid certificate and get back to you.
0
 
LVL 10

Author Comment

by:rj2
ID: 20335533
I tried to generate certificate request file but I get error from both Thawte and RadidSSL "invalid country code" when I try to buy certificate.
The EMS command shown below, from chapter 20 in "Mastering Exchange server 2007" (I dropped the ou=part"

New-ExchangeCertificate -GenerateRequest -SubjectName
"o=My Company, cn=exchange.mycompany.se" -domainname exchange,
exchange.mycompany.local,autodiscover.mycompany.se
-path c:\CertReq.txt
0
 
LVL 10

Author Comment

by:rj2
ID: 20335627
Followed instructions from here http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html
, looks like neither Thawte nor RapidSSL accepted that c= was missing from subjectname
Thawte wanted also ST=state/province
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 10

Author Comment

by:rj2
ID: 20335656
Thawte SSL123 certificate will work with Exchange server for Outlook anywhere?
https://www.thawte.com/process/retail/new_ssl123?language=en&productInfo.productType=fssl2

According to http://forums.devshed.com/security-and-cryptography-17/godaddy-ssl-problem-not-trusted-authority-in-ff-328782.html
there might be issues with GoDaddy certificates, or is this fixed now?
0
 
LVL 10

Author Comment

by:rj2
ID: 20335669
Sample using GoDaddy certificate here:
https://www.praxishosting.com/
I get certificate error in both IE7 and Firefox
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20335822
For the certificate request, use this web page to generate the command:
https://www.digicert.com/easy-csr/exchange2007.htm
Digicert also issue the certificates, but you can use GoDaddy instead. They are just generating the PowerShell line.

I did a quick test and they generated this for my "server" (false information obviously)

New-ExchangeCertificate -GenerateRequest -Path c:\exch-server_domain_com.csr -KeySize 1024 -SubjectName "c=GB, s=State, l=City, o=Domain Inc, ou=IT Services, cn=exch-server.domain.com" -DomainName autodiscover.domain.com, mail.domain.com -PrivateKeyExportable $True

The issues with GoDaddy SSL certificates are quite simple - the users haven't put all of the root and the intermediate certificates in correctly. I too get an error on the URL you have posted, but looking at the certificate path I can see it has been done incorrectly. GoDaddy support will quickly identify this if you contact them.

Simon.
0
 
LVL 22

Expert Comment

by:ATIG
ID: 20336813
now that I am playing catch up after my travel, did you get a public cert or are you using a private cert?
If the client cannot chain the cert you get the prompts....

0
 
LVL 10

Author Comment

by:rj2
ID: 20337865
I was planning on buying a public cert, but I have not bought it yet.
Is it possible to make Outlook Anywhere work with a private cert? If yes, how do I do that?
0
 
LVL 22

Expert Comment

by:ATIG
ID: 20339289
Yes..... you just need to load the root cert on the client

If you setup an MS CA  and installed the web component then you can browse to the http://server/certsrv and there will be an option to download the root cert.

install that on the client and you will be good to go..

make sure the cert name matches you public url i.e mail.X.y
0
 
LVL 10

Author Comment

by:rj2
ID: 20353253
ok, I have received the cert from GoDddy now and it seems to be working alright.
I can access https://myserver/owa without certificate error with IE from both inside and outside firewall.
But I still can't make Outlook Anywhere work. I have installed the Windows RPC over HTTP Proxy component and enabled Outlook anywhere using the exchange console according to http://technet.microsoft.com/en-us/library/bb123889.aspx.
 And I have setup Outlook according to
http://office.microsoft.com/en-us/outlook/HP101024441033.aspx. But when I start Outlook and it asks me about username/password Outlook never accepts my answer even if using the same credentials using owa works fine.
Ideas anyone?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20354179
That is usually an authentication mismatch.
Which setting did you put in to Exchange when you configured it for authentication?
If you set it as basic then you need to set basic on the client, if integrated in Exchange then you need to set NTLM in Outlook.

Simon.
0
 
LVL 10

Author Comment

by:rj2
ID: 20363957
Hi, I have same authentication on both Exchange and Outlook. tried first with NTLM both places but could not connect outside firewall. Then tried to change to basic in both Exchange and and Outlook but still can't connect outside firewall.
Are there any debugging features or logging in Exchange server or Outlook that can tell me what is going wrong? The Exchange have the same name both inside and outside firewall. Inside firewall I use internal DNS.
When I run netstat I sometimes see connection on port 443 when I try to setup the new account but more often I see that outlook tries to connect on port 135 even if I have clicked for "connect using http"
0
 
LVL 10

Author Comment

by:rj2
ID: 20363972
http://www.petri.co.il/testing_rpc_over_http_connection.htm also reports that "I found out that for some reason, local area connections to the Exchange server tend to use regular RPC connections (i.e. TCP/IP) rather than RPC over HTTP/S", that is the same that I see.
0
 
LVL 10

Author Comment

by:rj2
ID: 20373490
When testing inside firewall I discovered the following:
The exchange server is in the internal domain mycompany.local instead of mycompany.com because we wanted to avoid problem if a server had name mycompany.com but was placed outside our LAN.
The certificate is granted to hostname.mycompany.com.
When configuring Outlook to use https and pressing "Check name" hostname.mycompany.com is replaced with hostname.mycompany.local. Outlook 2007 complains about certificate mismatch when connecting through https, but from inside firewall I am able to connect.
In the certificate request I listed hostname.mycompany.local as alias but looks like GoDaddy did not add this to the certificate.
Could this be issue outside the firewall? What should I do to fix it?
0
 
LVL 10

Author Comment

by:rj2
ID: 20373531
I have used the hostname "hostname.mycompany.com" in the Outlook anywhere configuration, this matches the certificate. I have an internal DNS that resolves hostnamame.mycompany.com to the internal address 10.x.x.x /we use NAT inside firewall)
0
 
LVL 10

Author Comment

by:rj2
ID: 20373601
Could this be why I can't autenticate from outside firewall?
What should I do now to make Outook Anywhere work?
0
 
LVL 10

Author Comment

by:rj2
ID: 20373821
When using hostname "hostname.mycompany.local" as the exchange server hostname and adding this name to the local hosts file I was able to connect using https from outside the firewall, so I guess this was the issue.
But what should I do make this work both inside and outside firewall?
I would be a major hassle to have to manually edit the hosts file depending if you're inside or outside the firewall.
0
 
LVL 10

Author Comment

by:rj2
ID: 20374645
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now