Microsoft Exchange (Building Internet Firewalls, 2nd Edition)

16.4. Microsoft Exchange

Microsoft Exchange is perhaps best known as a mail server, but it also provides a number of other services, including news, calendar maintenance, contact management, and document exchange.

Both Exchange client-server conversations and the Exchange Administrator use Microsoft RPC, which is discussed in Chapter 14, "Intermediary Protocols". In addition, depending on how it is configured, Exchange may use SMTP, POP, IMAP, NNTP, LDAP, X.400, and/or LDAP over SSL. SMTP, POP, IMAP, X.400 over TCP/IP and NNTP are discussed in this chapter; LDAP and LDAP over SSL are discussed in Chapter 19, "Real-Time Conferencing Services".

Microsoft RPC is difficult to safely allow through a firewall using any technology because it involves connections at arbitrary ports and embedded IP addresses. It is difficult to secure with packet filtering and requires protocol-aware proxies or network address translation systems, which are not widely available. Therefore, you should avoid trying to support Exchange through a firewall using Microsoft RPC.

Almost all of the other protocols that Exchange supports are quite easy to allow through a firewall. Using them instead will impose three kinds of restrictions:

You will not be able to use the Exchange Administrator.
Server-to-server transactions (other than straightforward mail transfer) will have reduced performance.
Clients will have mail service but will not have access to all Exchange features.

You can also configure Exchange to provide an HTTP interface to the calendar management features so that clients can use a web browser for scheduling. This is slower than using Exchange's native protocols.

Exchange servers that are speaking to other servers can do all Exchange operations without using Microsoft RPC, using what are called Connectors that embed operations in other protocols. You can therefore make server-to-server connections over SMTP without losing functionality, although there will be some performance penalty.

Because Exchange is a large and complicated system, it's relatively risky to allow access from the Internet to an Exchange server, even if you use the more controllable options. If you need to support remote users from anywhere on the Internet, attempt to limit them to mail reading, preferably using IMAP over SSL. If you provide HTTP access, restrict it to a limited range of source addresses.

Administering Exchange is an extremely complex topic, and we cannot do it justice here. You may want to consult a book on Exchange administration (for instance, Managing Microsoft Exchange Server, by Paul Robichaux, O'Reilly & Associates, 1999).

16.4.1. Summary of Recommendations for Microsoft Exchange

Do not run Exchange on a bastion host. Instead use a dedicated SMTP server and forward the mail to your internal Exchange server.

Do not use Microsoft RPC through a firewall. If a local Exchange server needs to communicate to a remote server via the Internet, use SMTP and forward the mail through your bastion host.

If clients need to use full Exchange functionality, consider setting up an Exchange server where they can reach it without crossing a firewall and using server-to-server connectors over SMTP to cross the firewall.


16.3. Other Mail Transfer Protocols		16.5. Lotus Notes and Domino