Become a Columnist Microsoft Exchange Site Microsoft Support SiteMSDN Exchange Site

   

Subscribe to OutlookExchange
What's New
Columnist
Anderson Patricio
Ann Mc Donough
Bob Spurzem
Brian Veal
Catherine Creary
Cherry Beado
Colin Janssen
Collins Timothy Mutesaria
Drew Nicholson
Fred Volking
Glen Scales
Goran Husman
Guy Thomas
Henrik Walther
Jason Sherry
Jayme Bowers
John Young
Joyce Tang
Justin Braun
Konstantin Zheludev
Kristina Waters
Kuang Zhang
Mahmoud Magdy
Martin Tuip
Michael Dong
Michele Deo
Mitch Tulloch
Nicolas Blank
Pavel Nagaev
Ragnar Harper
Ricardo Silva
Richard Wakeman
Russ Iuliano
Santhosh Hanumanthappa
Steve Bryant
Steve Craig
Todd Walker
Tracey J. Rosenblath
Development
More Resources
Software
Other Links
 
   

“Secure” your Exchange Server on the Internet for $100
Page 1 | Page 2 | Page 3 | Page 4

I know the security folks are going to tear into me for this, partly because I use the word Secure, and partly because it is not truly secure. Also, this is not an article for my larger Exchange customers. If you have more than a couple of hundred people, this solution will probably be meaningless to you. Having said that let me share with you some ideas on how you can install Exchange 2000 and AD and let your users connect from the Internet with their MAPI client as well as OWA.

First, I want to talk about MAPI for a minute. As much as I fought against the inclusion of MAPI in newer releases of Exchange, I am beginning to like MAPI more and more these days. For one, it is rich in features: Offline access, delegation, additional address books and especially the rules and ability to drag and drop items from the desktop are all valid reasons to keep using the protocol. Another feature is security. Have you ever looked at an MAPI or RPC packet with a protocol analyzer? There is not much to look at and you have to be very clever in order to reassemble the packets and try to piece something together. Even clever sneaks would rather wait for un-encrypted HTML traffic to open and read. HTML traffic is far more interesting anyway; what you are buying, what you are researching, etc.

So here is the problem; MAPI access uses dynamic TCP ports. Moreover, directory access and additional components of Exchange and AD will assign dynamic ports.

Configure the Network Sharing Device/Firewall

First, buy yourself a network sharing device like the Linksys Cable/DSL sharing switch. I have used this one and prefer it since you can specify any internal IP range. The Belkin and some others require a 192.168.x.x internal addressing. This is not a critical issue, just a preference of mine. The most important thing to remember is that you will need at least one static IP address from your DSL provider in order to provide consistent access to the users and to allow internal SMTP traffic to reach your server. Configure this static IP address on your network sharing device and configure the internet port as well. I prefer a 10.10.10.x to use internally, but the device you purchase may dictate a different IP structure.

Configure the Server

Install Windows 2000 Server with SP2. Also, install Terminal Server, DNS Server, DHCP Server and SMTP, NNTP (from the IIS settings). You only need one network card on the server and assign an internal IP address for the server. I like to use 10.10.10.2-10 for my servers at home. Set the DNS settings on the network interface to point to the local server. In other words, if your server is 10.10.10.2, set the DNS and WINS settings to 10.10.10.2. After things are running, open the DNS Server settings and set your DNS server to forward to the DNS servers provided by your Internet Service Provider. After you have all the settings in place, test connectivity to the Internet. Once you have the server running and connected to the Internet (for browsing), connect to http://windowsupdate.microsoft.com and download the latest updates.

Run DC Promo and configure the domain with a DNS name that is different than the actual domain you will use. For example, if you are company.com, create the AD and DNS for company.net. Make the NetBIOS name of the domain the name of the company, such as ProExchange. Rename the administrator account to something else and change the password. Make sure the guest account is disabled. Create an account named Exchange and give it domain and enterprise permissions. Now, use the DNS Admin settings to manually create a standard DNS zone for the true domain for your company. This is what will be used for the outside world. Add a www entry, an entry named email and an MX record with a cost of 10 to email.company.com (or whatever the name). These entries should all point to the static IP address you assigned the Network Sharing Device. (The IP address your ISP assigned to you.)

“Secure” your Exchange Server on the Internet for $100
Page 1 | Page 2 | Page 3 | Page 4

Disclaimer: Your use of the information contained in these pages is at your sole risk. All information on these pages is provided "as is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Stephen Bryant or Pro Exchange. OutlookExchange.Com, Stephen Bryant and Pro Exchange shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Copyright Stephen Bryant 2008