Exchange 2003, OWA, Active Directory, CA Ports 2

[loyalist]

Hi there,

Currently configuring Exchange 2003 and need to have OWA access through pix firewall to exchange server sitting on dmz. Users will also have to authenticate to domain controller on inside network. What ports do I need to open on outside interface other than dns, smtp and 443. Don't I need to open ports for authentication as well? Also what ports need to be opened between exchange server and domain controller? Installing CA on domain controller for secure http on exchange server, what ports need to be opened for CA?

Finding alot of conflicting information, just wondering if anybody knows the correct combination of allowed ports.

Here is an example of my access lists so far for these services:

access-list acl_outside permit tcp any host x.x.x.x eq 443
access-list acl_outside permit tcp any host x.x.x.x eq domain
access-list acl_outside permit udp any host x.x.x.x eq domain
access-list acl_outside permit tcp any host x.x.x.x eq smtp


access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 135
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 139
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 137
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 138
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 445
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 389
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 636
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq domain
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq domain
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq smtp
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 119
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 110
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 995
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 143
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 993
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq www
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 443
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 88
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 464
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 500
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 593
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 1645
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 1646
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 1701
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 1723
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 1812
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 1813
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 3268
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 3269
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 3389
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 gt 1023
access-list dmz permit tcp host 10.100.75.5 any eq smtp
access-list dmz permit tcp host 10.100.75.5 any eq 443
access-list dmz permit udp host 10.100.75.5 any eq domain
access-list dmz permit tcp host 10.100.75.5 any eq domain

Pretty sure I don't need to allow all the ports I have specified so far, however wondering which ones I really need and any that I have missed. Can someone please help me straighten this mess out?

Thanks,

Loyalist

 

[yizhar]

HI.

> What ports do I need to open on outside interface other than dns, smtp and 443
You should not allow inbound DNS traffic to your Exchange server.

> Don't I need to open ports for authentication as well?
No, the server authenticates on behalf of the remote client, which in turn authenticates to IIS.

> Also what ports need to be opened between exchange server and domain controller?
Well, that's the main issue here. There are some docs specific to that on MSKB site and even in Cisco pix site.

> Installing CA on domain controller for secure http on exchange server, what ports need to be opened for CA?
None as far as I know.
Some CA related ports are optional (for example port 80).
It depends on the method you use to request and enroll certificates, and to query the CRL.
You can also choose to configure the Exchange server as a sub-ordinate CA/RA server.

> Finding alot of conflicting information, just wondering if anybody knows the correct combination of allowed ports
I agree - there isn't a single answer...
I think that the best way is to install the Exchange server in its own domain, with no access to the internal network.
It requires managing duplicate user accounts (on Exchange and for internal network), but is more secure.
What do you think?
If not good for you, then you can configure Exchange server as a domain controller in its own site, and allow only SMTP traffic between sites for directory replication.

> Can someone please help me straighten this mess out?
Some tips:

the "show access-list" command at the pix will show you "hitcnt" = hit count. An unhitted rule is suspect for removal, and vice versa.

Use syslog messages to see what'g going on.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[loyalist]

Thanks Yizhar, I appreciate someone finally replying to the post. Installing the exchange server as a standalone is no longer an option, it's done and it's on the domain. Been a long week, right now I am permitting all ip between the exchange server and the domain controller(exchange is not connected to internet at this time)just for testing the initial exchange setup. Have been running port scans between the 2 boxes to try and nail down what ports I need open between the 2 for active directory. I have mapped the dynamic rpc port on the domain controller to 5252.

BTW, Saroden's post was very helpful in regards to basic mail configuration:

http://www.msu.edu/~scanlon3/AD_EXCHANGE_SETUP.txt

unfortunately his scenario is a front end back end so the domain controller talks active directory with the exchange server on the inside and not through the firewall.

If you don't mind, I am going to post what I have come up with so far in regards to my access lists and hopefully you or someone else can offer some advice. I am not too worried about what I have to allow in terms of access to the exchange server from either outside or inside, it's the active directory ports that are driving me nuts! Mainly what has to opened and in what direction.

Also have decided to put a dns server on the exchange to act as a forwarder and secondary dns, for my primary which is sitting inside on the domain controller. This way I only have to allow dns in and out once.

Here's my access lists broken down into the necessary components:


external access into mailserver/forwarding dns server(outside to dmz)

access-list outside_in permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list outside_in permit tcp any host xxx.xxx.xxx.xxx eq 443
access-list outside_in permit tcp any host xxx.xxx.xxx.xxx eq domain
access-list outside_in permit udp any host xxx.xxx.xxx.xxx eq domain


mail server(dmz) to outside

access-list dmz permit tcp host 10.100.75.5 any eq smtp
access-list dmz permit tcp host 10.100.75.5 any eq domain
access-list dmz permit udp host 10.100.75.5 any eq domain


mail server(dmz) to domain controller(inside)

access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq domain
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq domain
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 88(kerberos)
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 88(kerberos)
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 135(rpc endpoint mapper)
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 135(rpc endpoint mapper)
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 389(ldap)
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 389(ldap)
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 445(smb)
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 445(smb)
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 3268(ldap to global catalog)
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 5252(endpoint map)
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 5252(endpoint map)
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 139(netbios session)
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 464(kerberos password change)
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 593(HTTP RPC Ep Map)
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 636(ldap ssl)
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 3269(ldap to global catalog ssl)


mail server(dmz) to inside hosts(inside)

access-list dmz permit tcp host 10.100.75.5 10.100.50.0 255.255.255.0 eq smtp
access-list dmz permit tcp host 10.100.75.5 10.100.100.0 255.255.255.0 eq smtp
access-list dmz permit tcp host 10.100.75.5 10.100.50.0 255.255.255.0 eq 143(imap)???
access-list dmz permit tcp host 10.100.75.5 10.100.100.0 255.255.255.0 eq 143(imap)???
access-list dmz permit tcp host 10.100.75.5 10.100.50.0 255.255.255.0 eq 993(imap ssl)???
access-list dmz permit tcp host 10.100.75.5 10.100.100.0 255.255.255.0 eq 993(imap ssl)???
access-list dmz permit tcp host 10.100.75.5 10.100.50.0 255.255.255.0 eq 110(pop3)????
access-list dmz permit tcp host 10.100.75.5 10.100.100.0 255.255.255.0 eq 110(pop3)????
access-list dmz permit tcp host 10.100.75.5 10.100.50.0 255.255.255.0 eq 995(pop3 ssl)????
access-list dmz permit tcp host 10.100.75.5 10.100.100.0 255.255.255.0 eq 995(pop3 ssl)????



domain controller(inside) to mailserver(dmz)

access-list inside permit tcp host 10.100.50.5 host 10.100.75.5 eq smtp
access-list inside permit tcp host 10.100.50.5 host 10.100.75.5 eq 443
access-list inside permit tcp host 10.100.50.5 host 10.100.75.5 eq 88(kerberos)
access-list inside permit udp host 10.100.50.5 host 10.100.75.5 eq 88(kerberos)
access-list inside permit tcp host 10.100.50.5 host 10.100.75.5 eq 135(rpc endpoint mapper)
access-list inside permit udp host 10.100.50.5 host 10.100.75.5 eq 135(rpc endpoint mapper)
access-list inside permit tcp host 10.100.50.5 host 10.100.75.5 eq 445(smb)
access-list inside permit udp host 10.100.50.5 host 10.100.75.5 eq 445(smb)
access-list inside permit tcp host 10.100.50.5 host 10.100.75.5 eq 139(netbios session)
access-list inside permit tcp host 10.100.50.5 host 10.100.75.5 eq 593(HTTP RPC Ep Map)
access-list inside permit tcp host 10.100.50.5 host 10.100.75.5 eq 691(MS Exchange Routing)???? [Keep seeing this port open on all scans]
access-list inside permit tcp host 10.100.50.5 host 10.100.75.5 eq 3389




inside networks to mail server

access-list inside permit tcp 10.100.50.0 255.255.255.0 host 10.100.75.5 eq smtp
access-list inside permit tcp 10.100.100.0 255.255.255.0 host 10.100.75.5 eq smtp
access-list inside permit tcp 10.100.50.0 255.255.255.0 host 10.100.75.5 eq 443
access-list inside permit tcp 10.100.100.0 255.255.255.0 host 10.100.75.5 eq 443
access-list inside permit tcp 10.100.50.0 255.255.255.0 host 10.100.75.5 eq 143(imap)
access-list inside permit tcp 10.100.100.0 255.255.255.0 host 10.100.75.5 eq 143(imap)
access-list inside permit tcp 10.100.50.0 255.255.255.0 host 10.100.75.5 eq 993(imap ssl)????
access-list inside permit tcp 10.100.100.0 255.255.255.0 host 10.100.75.5 eq 993(imap ssl)????
access-list inside permit tcp 10.100.50.0 255.255.255.0 host 10.100.75.5 eq 110(pop3)????
access-list inside permit tcp 10.100.100.0 255.255.255.0 host 10.100.75.5 eq 110(pop3)????
access-list inside permit tcp 10.100.50.0 255.255.255.0 host 10.100.75.5 eq 995(pop3 ssl)????
access-list inside permit tcp 10.100.100.0 255.255.255.0 host 10.100.75.5 eq 995(pop3 ssl)????


inside to anywhere

access-list inside deny tcp host 10.100.50.5 any eq www
access-list inside deny tcp 10.100.50.0 255.255.255.0 host 10.100.75.5 eq www
access-list inside deny tcp 10.100.100.0 255.255.255.0 host 10.100.75.5 eq www
access-list inside permit tcp 10.100.50.0 255.255.255.0 any eq www
access-list inside permit tcp 10.100.100.0 255.255.255.0 any eq www
access-list inside permit tcp 10.100.50.0 255.255.255.0 any eq 443
access-list inside permit tcp 10.100.100.0 255.255.255.0 any eq 443
access-list inside permit tcp 10.100.50.0 255.255.255.0 any eq 22
access-list inside permit tcp 10.100.100.0 255.255.255.0 any eq 22
access-list inside permit tcp host 10.100.50.62 host 10.100.75.5 eq 3389
access-list inside permit tcp host 10.100.50.50 host 10.100.75.5 eq 3389
access-list inside deny ip any any

Any and all advice is greatly appreciated.

Thanks,

Loyalist

 

[yizhar]

HI.

> If not good for you, then you can configure Exchange server as a domain controller in its own site, and allow only SMTP traffic between sites for directory replication
What about the above idea? Is it applicable?

Regarding your config:

* Without the "static" and other translations related commands, I cannot see the whole picture.

> access-list outside_in permit tcp any host xxx.xxx.xxx.xxx eq domain
> access-list outside_in permit udp any host xxx.xxx.xxx.xxx eq domain
What for? Are you hosting the public DNS domains on the same servers as internal? Do you want the Internet users to have access to your private DNS servers???

> mail server(dmz) to inside hosts(inside)
> access-list dmz permit tcp ...
What for?
The inside hosts access the mail server, not the other way.
(With one expection which is new mail notification for MS Outlook clients - Q305572)

> inside to anywhere
> access-list inside deny tcp host 10.100.50.5 any eq www
Isn't the above rule blocking legitimic traffic, like MS "Automatic Updates"?

In general, I think that you should go towards a simplier config with fewer rules.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[BuckWeet]

Why not put your exchange server on the internal network, and then put a SMTP relay box on the DMZ?

BuckWeet

 

[loyalist]

Thanks Yizhar & Buckweet. I don't see how the site option would improve the situation, either way, as long as the pix sits between any servers I have to allow active directory traffic to pass through and that's where the headaches begin. The statics I am using are for 2 internal subnets, 10.100.50.0 & 10.100.100.0, to allow them untranslated access into the dmz for mail only. The only box I am translating on the outside is the exchange server. You are right about the dns statements, don't need them. Thought I would need the smtp statements so users could download and save mail to personal folder or home directories. Just don't like the idea of the domain controller having internet access.

You are correct when you say that this has gotten very complicated however don't see any way around it other than having another server to use as front end which I don't at this time but may have in the future.

What if I moved the mail server inside, I know this isn't the best scenario security wise, but I would only be allowing in https and smtp in and it would avoid all the active directory headaches and certainly cut down the overhead on my pix in terms of rules. I would need to convince management that this is a better solution short term and it may prompt them to buy me another box sooner than later.

Buckweet, I assume this is what you are referring to, I am not familiar with smtp relay servers however would it be similiar to front/back scenario or more like a proxy server?

 

[BuckWeet]

Pretty much a proxy-server..

Any mail coming in or out of your network will get relayed through the box on the DMZ. Then you only permit SMTP traffic to and from that smtp-relay and the internal exchange box. For the SMTP-RELAY you could setup a linux box so you don't have to pay licensing fees. Make sure that you secure the relay so that its not open to the world for people to bounce email off of.


BuckWeet

 

[yizhar]

HI.

> What if I moved the mail server inside, I know this isn't the best scenario security wise...

This is an option.
Many small/medium organizations work that way, which isn't the most secure but is easier to implement...

> but I would only be allowing in https and smtp ...
https is your main concern. You can purchase an ISA server to act as a reverse-proxy and publish your OWA site.
You can also do it with a "free" linux box.

How many users in the company?
How many users will need email access from outside?
Is OWA a must?
You can consider limitting access to OWA using VPN, virtual http / virtual telnet, or other methods so that some kind of pre-authentication will be required before allowing access to OWA from the Internet (no matter if the OWA server is in DMZ or inside for that).


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar