Sign in with
Sign up | Sign in
Your question

Windows Firewall and Exchange 2003

Last response: in Windows XP
Share
Anonymous
February 22, 2005 5:01:04 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I support about 75 remote users using XP Pro SP2. They all have Outlook 2003
as there e-mail client. How can I configure Windows Firewall to accept
communications from our Exchange 2003 server?
--
KFTech
Anonymous
February 22, 2005 5:10:30 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Depends on how they're connecting.

Since Windows firewall doesn't do outbound filtering, I can't see it
blocking any of the connection types, since they all involve the client
initating the connection (POP3, IMAP, SMTP, RPC/HTTPS).

With a bit more detail, we should be able to help you.

Matt Gibson - GSEC

"KFTech" <KFTech@discussions.microsoft.com> wrote in message
news:D 715B5FE-E710-4405-B4EF-DCF27D5B1B06@microsoft.com...
>I support about 75 remote users using XP Pro SP2. They all have Outlook
>2003
> as there e-mail client. How can I configure Windows Firewall to accept
> communications from our Exchange 2003 server?
> --
> KFTech
Anonymous
February 23, 2005 1:06:33 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Tue, 22 Feb 2005 14:01:04 -0800, KFTech wrote:

> I support about 75 remote users using XP Pro SP2. They all have Outlook 2003
> as there e-mail client. How can I configure Windows Firewall to accept
> communications from our Exchange 2003 server?

SP2 Firewall doesn't block outbound, so it's got to be something else.

I hope you're not using Outlook over the Intern using RPC. If you setup a
PPTP connection for the users and let them VPN into the server they can
securely use Outlook from anywhere and get full access to all features.

Many ISP's block the ports used by Outlook when doing remote connections
to Exchange servers using the Exchange connector - instead of POP/SMTP.


--
spam999free@rrohio.com
remove 999 in order to email me
Related resources
Anonymous
February 23, 2005 1:06:34 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Why not use Outlook over RPC/HTTPS?

Matt Gibson - GSEC

"Leythos" <void@nowhere.lan> wrote in message
news:p an.2005.02.22.22.15.42.647279@nowhere.lan...
> On Tue, 22 Feb 2005 14:01:04 -0800, KFTech wrote:
>
>> I support about 75 remote users using XP Pro SP2. They all have Outlook
>> 2003
>> as there e-mail client. How can I configure Windows Firewall to accept
>> communications from our Exchange 2003 server?
>
> SP2 Firewall doesn't block outbound, so it's got to be something else.
>
> I hope you're not using Outlook over the Intern using RPC. If you setup a
> PPTP connection for the users and let them VPN into the server they can
> securely use Outlook from anywhere and get full access to all features.
>
> Many ISP's block the ports used by Outlook when doing remote connections
> to Exchange servers using the Exchange connector - instead of POP/SMTP.
>
>
> --
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
February 23, 2005 1:06:34 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

We are using a VPN client and outbound is fine, the problem is that the users
are not able to download e-mails unless they turn the firewall off then back
on. Not all users experience this problem but alot them do.

"Leythos" wrote:

> On Tue, 22 Feb 2005 14:01:04 -0800, KFTech wrote:
>
> > I support about 75 remote users using XP Pro SP2. They all have Outlook 2003
> > as there e-mail client. How can I configure Windows Firewall to accept
> > communications from our Exchange 2003 server?
>
> SP2 Firewall doesn't block outbound, so it's got to be something else.
>
> I hope you're not using Outlook over the Intern using RPC. If you setup a
> PPTP connection for the users and let them VPN into the server they can
> securely use Outlook from anywhere and get full access to all features.
>
> Many ISP's block the ports used by Outlook when doing remote connections
> to Exchange servers using the Exchange connector - instead of POP/SMTP.
>
>
> --
> spam999free@rrohio.com
> remove 999 in order to email me
>
>
Anonymous
February 23, 2005 1:16:48 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Tue, 22 Feb 2005 14:20:35 -0800, Matt Gibson wrote:
>
> Why not use Outlook over RPC/HTTPS?

Because as many people found out about a year ago, ISP's block some of the
ports needed to implement it based on massive outbreaks. It was simple for
people that used proper VPN's to continue working, but the RPC people had
to scramble to find alternative solutions.

I've never seen anyone go wrong with doing it over a VPN, but I've seen
many have problems over RPC.


--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
February 23, 2005 1:16:49 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I think you're quite mistaken.

Outlook over RPC/HTTPS only uses port 443. I'd like to see an ISP that
blocks that.

Matt Gibson - GSEC

"Leythos" <void@nowhere.lan> wrote in message
news:p an.2005.02.22.22.25.58.260544@nowhere.lan...
> On Tue, 22 Feb 2005 14:20:35 -0800, Matt Gibson wrote:
>>
>> Why not use Outlook over RPC/HTTPS?
>
> Because as many people found out about a year ago, ISP's block some of the
> ports needed to implement it based on massive outbreaks. It was simple for
> people that used proper VPN's to continue working, but the RPC people had
> to scramble to find alternative solutions.
>
> I've never seen anyone go wrong with doing it over a VPN, but I've seen
> many have problems over RPC.
>
>
> --
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
February 23, 2005 1:19:35 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Tue, 22 Feb 2005 14:25:03 -0800, KFTech wrote:

> We are using a VPN client and outbound is fine, the problem is that the users
> are not able to download e-mails unless they turn the firewall off then back
> on. Not all users experience this problem but alot them do.

Interesting, I've seen this mentioned a couple time when the CISCO VPN
client was being used - but I've not seen it when the PPTP VPN client was
used.

So, the problem is actually different than first described - some users
have to disable the firewall and re-enable it when using your VPN client.

What is showing in the servers/appliances firewall logs?


--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
February 23, 2005 1:43:30 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Tue, 22 Feb 2005 14:38:03 -0800, Matt Gibson wrote:

> I think you're quite mistaken.
>
> Outlook over RPC/HTTPS only uses port 443. I'd like to see an ISP that
> blocks that.

It could be that over HTTPS is a viable option - I've not tried that
method as we've always used VPN's and they've always worked.

I can remember people trying RPC over HTTP and it not working, so I
assumed that it would be the same over HTTPS. I have no problem being
wrong if I am - thanks for letting me know.


--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
February 23, 2005 1:43:31 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

No worries.

I've got 2 clients using RPC/HTTPS for their outside sales guys, and so far
haven't run up against any issues. I feel it's more secure than most VPN
setups, as if their machine is infected with whathave you, I don't have to
worry about terminating their VPN in a DMZ to prevent my network from
getting infected.

Matt Gibson - GSEC

"Leythos" <void@nowhere.lan> wrote in message
news:p an.2005.02.22.22.46.37.909842@nowhere.lan...
> On Tue, 22 Feb 2005 14:38:03 -0800, Matt Gibson wrote:
>
>> I think you're quite mistaken.
>>
>> Outlook over RPC/HTTPS only uses port 443. I'd like to see an ISP that
>> blocks that.
>
> It could be that over HTTPS is a viable option - I've not tried that
> method as we've always used VPN's and they've always worked.
>
> I can remember people trying RPC over HTTP and it not working, so I
> assumed that it would be the same over HTTPS. I have no problem being
> wrong if I am - thanks for letting me know.
>
>
> --
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
February 23, 2005 1:51:35 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Tue, 22 Feb 2005 14:48:50 -0800, Matt Gibson wrote:

> No worries.
>
> I've got 2 clients using RPC/HTTPS for their outside sales guys, and so far
> haven't run up against any issues. I feel it's more secure than most VPN
> setups, as if their machine is infected with whathave you, I don't have to
> worry about terminating their VPN in a DMZ to prevent my network from
> getting infected.

That would be a good option, but don't they need access to files too?

Every office we install wants access to the servers, not just their email.
We setup the laptops with them as user level accounts, force FireFox on
them and use a corporate level AV product that the users can't control. So
far we've not had one compromised system.

I'll take a spare E2003 server this weekend and test RPC/HTTPs and see how
it works for us - thanks for the idea.


--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
February 23, 2005 1:51:36 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

For these guys, they usually stay pretty seperate from head office in terms
of files.

If I "needed" to do VPN, I'd probably stuff a Fortigate in, so I wouldn't
worry so much about the tunnels back to HO.

You should like RPC/HTTPS...I'm always suprised just how well it works.

Matt Gibson - GSEC

"Leythos" <void@nowhere.lan> wrote in message
news:p an.2005.02.22.22.55.53.920302@nowhere.lan...
> On Tue, 22 Feb 2005 14:48:50 -0800, Matt Gibson wrote:
>
>> No worries.
>>
>> I've got 2 clients using RPC/HTTPS for their outside sales guys, and so
>> far
>> haven't run up against any issues. I feel it's more secure than most VPN
>> setups, as if their machine is infected with whathave you, I don't have
>> to
>> worry about terminating their VPN in a DMZ to prevent my network from
>> getting infected.
>
> That would be a good option, but don't they need access to files too?
>
> Every office we install wants access to the servers, not just their email.
> We setup the laptops with them as user level accounts, force FireFox on
> them and use a corporate level AV product that the users can't control. So
> far we've not had one compromised system.
>
> I'll take a spare E2003 server this weekend and test RPC/HTTPs and see how
> it works for us - thanks for the idea.
>
>
> --
> spam999free@rrohio.com
> remove 999 in order to email me
>
!