SMTP Port 25 Blocking - Possible solutions?

I have multiple users of our exchange email system that work from their home office and the on the road.  These users are currently7 setup to use POP/SMTP protocols for sending and receiving.  We have have a big issue in regards to ISP's blocking port 25 for SMTP sending.  Because the high volume of traveling these users are constantly going through different ISP's (airports, hotels, home, cafe's etc.).  We've come up with two main ideas for solutions, and I was looking to see if anyone had any Pro's and Con's or suggestions.
Our 2 ideas are:

Setup RCP over HTTP for external Exchange protocol use - Issue here is we do not currently have a front end server set up, but do have multiple exchange servers

-or-

Open an new Port for SMTP send - We do see any extra ports open to  be a security risk.  Also consider opening ports for SSL or TLS.

Any suggestion would be greatly appreciated
Thanks,
JJ
LVL 1
JamesonJendreasAsked:
Who is Participating?
 
simsjrgConnect With a Mentor Commented:
I would have to say the most secure solution would be to have the users connect via VPN to a server or applicance. This way you don't need to open any additional ports and communication between the end user and the exchange server is encrypted. This is how I have my clients setup who have road warriors. They fire up their Cisco VPN Client or Cisco AnyConnect VPN Client and connect back to the office to hit their network resources. People who work from home I have gone a step further and placed a smaller device (Cisco ASA 5505) at their house. I setup one port to tunnel back to the office securly for the employee to use and the rest just route out to the internet for their other family members to use who should be have access to our network. I enabled port-security on that port so that no other device can be used on that port (unless they spoof the MAC). Kind of got carried away... sorry about that...
0
 
Hypercat (Deb)Connect With a Mentor Commented:
How about having them use Outlook Web Access instead of Outlook client?  
0
 
JamesonJendreasAuthor Commented:
Thanks for the two suggestions. Both are venues we have used in the past (or are currently). As for VPN, we do currently have a VPN setup with our firewall (sonicwall), and some users are using this to connect and send via SMTP. there are a few reasons why we want to leave this, mostly that users don't 'like' having to jump on the VPN just to send emails (being on constantly slows traffic down for them considerably).  I was going to set up so that outlook knows to dial the connection for sending only - but we have a large number of Mac users, for which I cannot find a setting to do this (some use mac mail, some Entourage).  It's been mentioned by management to myself that this is not a viable solution, as we want a seamless easy to use system (this isn't my decision, I thought a VPN would be the best bet).

As for OWA, many are currently using this, but since we have Outlook 2007 and user calendars and other functions quite often, we want our users using Outlook if at all possible.

Thanks For the SUggestions.
JJ
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
MesthaConnect With a Mentor Commented:
RPC over HTTPS is the only solution that I would use here for Outlook clients. You don't need ISA or a frontend server.
However if you have multiple Exchange servers you really should have a frontend server. Once you get past one backend server I consider a frontend server to be almost mandatory.

For Entourage, a VPN is probably about the only solution that will work reliably. You could look at using SMTP on the TLS port of 495. That port shouldn't be blocked, but a VPN is going to be the only 100% reliable solution.

-M
0
 
JamesonJendreasAuthor Commented:
Hm, I was under the impression a front end was needed to run rcp over http.  Regardless, I think we are going to set one up (we may be migrating to exchange 2008 as 2 servers are licensed for it, and an edge server may be in the mix)
0
 
MesthaCommented:
Edge is just for SMTP traffic, nothing else.
Microsoft's documentation does seem to give people the impression that a frontend server was required. However if you have multiple servers then each server would need a unique IP address, host name and SSL certificate to use RPC over HTTPS. A frontend server would provide you with a single point of entry for all of the servers.

-M
0
 
JamesonJendreasAuthor Commented:
I just recall when setting up our newest exchange server a year ago, we attempted to setup RCP over HTTP, and it wouldn't let up without it being a front end (and I very well could and probably am wrong).  Anyway, I will use this information when deciding on our final solution with my boss (tomorrow).
0
 
JamesonJendreasAuthor Commented:
FYI - Edge comment had more to do with that we might have a front end server, as edge is required to be front end (as far as I know), not that an edge would necessarily fix this issue.
0
 
JamesonJendreasAuthor Commented:
Yep, no need for dront end, but it does sound like the best bet.  From the MS Deployment senario documentation

<blockquote>It is recommended that your RPC proxy server is an Exchange front-end server. The RPC over HTTP Proxy networking component extracts the RPC requests from the HTTP request and forwards the RPC requests to the appropriate server. The advantage of this approach is that only the RPC proxy server has to allow access from the Internet. Back-end Exchange servers do not have to allow access from the Internet. You should use the Secure Sockets Layer (SSL) to establish the HTTP session that you use to access Exchange Server over the Internet from an Outlook 2003 client.</blockquote>
0
 
MesthaConnect With a Mentor Commented:
Edge is not a frontend server. It is for SMTP traffic and is designed to go in a DMZ.

The equivalent to an Exchange 2003 frontend server with Exchange 2007 is a CAS server. CAS can also hold the hub transport role which can receive SMTP traffic as well. Therefore if you have two servers with Exchange 2007 licenses then you could build one as a CAS, Hub and have that in front of any existing Exchange 2003 servers, plus any additional Exchange 2007 mailbox servers.

That would provide you with a seamless transition.

-M
0
 
ridConnect With a Mentor Commented:
Opening up a "new" port for an already existing service (SMTP) can't possibly add to the risks. The robustness and resilience against attack should be there in the service, no matter how (through which port) you access it. Adding a track through your firewall, from a non-standard port (like 587 or whatever), to port 25 on your SMTP server, could be a good idea. Assuming, of course, you use SMTP-AUTH and/or other security measures and that the SMTP server is mature enough to be strengthened against whatever common hacks are performed against SMTP servers.

An "open port" in itself is not dangerous, it's the business of the answering service to fend off attacks. If port 25 is already open, your SMTP server knows all about this by now...
/RID
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.