|
|
|
|
|||
|
Home | |
Contact Us | |
||
|
||||||
|
||||||
|
|
|
|
|
|
|
|
|
|
||||||||||||||||||||||||||||||||
|
Tech Note: 006 Exchange 2000 & Active Directory Services: Information and Setup. Applies to: SmartGate 4.1.2 and later. Last updated: June 5th, 2001. SUMMARY Setting up your SmartGate server, and SmartPass clients to secure and transfer traffic for Exchange 2000 servers using Active Directory Services. INSTRUCTIONS There are two scenarios that will be covered. The first is where the client machine(s) will NOT be logged into the domain when accessing the Exchange server, and the second covers client machines that will be logged into the domain. This has been tested with SmartGate 4.1.1/4.1.2, and SmartPass 4.1.2. Links to referenced articles, and screenshots showing the creation of ACLs are included at the end of the document. NOTE: It is recommended that all users who will be accessing the Exchange server be made members of a group on the SmartGate server. This will ease administration. This group will be referred to as "ExchangeUsers" in this document. Scenario 1: Client machine not logged into domain The client has no interaction with the Active Directory in this scenario, as they will not be authenticated. There are two options available, using wildcard ACLs, or defining static ports on the Exchange server via Registry edits. Option 1 (wildcards) a.
If the Exchange server can be resolved locally by DNS: b.
If the Exchange server cannot be resolved locally by DNS: This is all that is necessary to secure communications between the mail client and the Exchange server. However, this method allows traffic to any port on the Exchange server, and may not be the most desirable. Option 2 (static ports) NOTE: This option requires editing the Registry on the Exchange server. Improper editing of the registry can cause system failure; it is recommended that you record any settings before modifying them, and to update your ERD before performing the edits. 1. Open regedit on the Exchange 2000 server. Navigate to the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters Create a new value, type DWORD, called "TCP/IP port". Assign it a value of 2000, making sure that "Decimal" is selected on the right. Create another new value, type DWORD, called "TCP/IP NSPI port". Assign it a value of 2001, making sure that "Decimal" is selected on the right. 2. Navigate to the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem Create a new value, type DWORD, called "TCP/IP port". Assign it a value of 2002, making sure that "Decimal" is selected on the right. Close regedit, and reboot the server. a.
If the Exchange server can be resolved locally by DNS: b.
If the Exchange server cannot be resolved locally by DNS:
Scenario 2: Client machine is logged into the domain This scenario is broken down into two parts. Part one is needed when using a non-Active Directory-aware (non-AD aware) mail client (Outlook Express, Outlook 97/98, MS Mail, etc.). Part two is needed when using an Active Directory-aware (AD-aware) mail client, such as Outlook 2000 and Outlook XP. If your environment includes a mix of non-AD and AD-aware mail clients, follow the instructions in Part two. Name resolution is not an issue when logged into an AD domain, so all references to the Exchange server will be via NetBIOS name. Part 1: Non-AD aware mail client There are two options available, using wildcard ACLs, or defining static ports on the Exchange server via Registry edits. Option 1 (wildcards) As
you will be logged into the domain, name resolution will not be
a concern. This is all that is necessary to secure communications between the mail client and the Exchange server. However, this method allows traffic to any port on the Exchange server, and may not be the most desirable. Options 2 (static ports) NOTE: This option requires editing the Registry on the Exchange server. Improper editing of the registry can cause system failure; it is recommended that you record any settings before modifying them, and to update your ERD before performing the edits. 1. Open regedit on the Exchange 2000 server. Navigate to the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters Create a new value, type DWORD, called "TCP/IP port". Assign it a value of 2000, making sure that "Decimal" is selected on the right. Create another new value, type DWORD, called "TCP/IP NSPI port". Assign it a value of 2001, making sure that "Decimal" is selected on the right. 2. Navigate to the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem Create a new value, type DWORD, called "TCP/IP port". Assign it a value of 2002, making sure that "Decimal" is selected on the right. Close regedit, and reboot the server. As
you will be logged into the domain, name resolution will not be
a concern. This will secure communications between the mail client and the Exchange Part 2: AD-aware mail client It is strongly recommended (but not required) that when using an AD-aware mail client, static ports be established via registry entries. Using wildcard ACLs will force any AD traffic destined for the server in question, Exchange related or not, to be captured and passed by SmartPass, potentially creating an unnecessarily high load on the SmartGate server and hindering performance. Option 1 (wildcards) As you will be logged into the domain, name resolution will not be a concern. Create a new ACL. Set the Owner to the ExchangeUsers group. Set the Type to path permission, and enter the NetBIOS name of the Exchange server. Select Service type "Any", ensure that the destination port is *, and that the Server and Client ports are both 2023. NOTE: There is an additional ACL that needs to be created. The AD-aware mail client, after its first successful connection to the Exchange server, is then referred to the domain's Global Catalog server for directory requests via a local registry entry. These requests occur on port 135. Create a new ACL. Set the Owner to the ExchangeUsers group. Set the Type to path permission, and enter the Global Catalog server's FQDN. Select Service type "Other", set the Destination port to 135, and the Server and Client ports to 2023. DO NOT set a wildcard permission to the Global Catalog server. If the client is using Windows 2000 as their operating system, using a wildcard for the GC will cause SmartPass to capture virtually all AD traffic. This is all that is necessary to secure communications between the mail client and the Exchange server. However, this method allows traffic to any port on the Exchange server, and may not be the most desirable. Options 2 (static ports) NOTE: This option requires editing the Registry on the Exchange server. Improper editing of the registry can cause system failure; it is recommended that you record any settings before modifying them, and to update your ERD before performing the edits. 1. Open regedit on the Exchange 2000 server. Navigate to the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters Create a new value, type DWORD, called "TCP/IP port". Assign it a value of 2000, making sure that "Decimal" is selected on the right. Create another new value, type DWORD, called "TCP/IP NSPI port". Assign it a value of 2001, making sure that "Decimal" is selected on the right. 2. Navigate to the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem Create a new value, type DWORD, called "TCP/IP port". Assign it a value of 2002, making sure that "Decimal" is selected on the right. Close regedit, and reboot the server. As
you will be logged into the domain, name resolution will not be
a concern. NOTE: There is an additional ACL that needs to be created. The AD-aware mail client, after its first successful connection to the Exchange server, is then referred to the domain's Global Catalog server for directory requests via a local registry entry. These requests occur on port 135. Create a new ACL. Set the Owner to the ExchangeUsers group. Set the Type to path permission, and enter the Global Catalog server's FQDN. Select Service type "Other", set the Destination port to 135, and the Server and Client ports to 2023. DO NOT set a wildcard permission to the Global Catalog server. If the client is using Windows 2000 as their operating system, using a wildcard for the GC will cause SmartPass to capture virtually all AD traffic. This will secure communications between the mail client and the Exchange server, only allowing traffic to pass on the four specified ports. References: Microsoft Support Knowledge Base - Exchange 2000 Static Port MappingsMicrosoft Support Knowledge Base - How MAPI Clients Access Active Directory Screenshots: Wildcard
ACL for Exchange Server with NetBIOS name:  ACL for Global Catalog requests on port 135 with FQDN:   back to Technical Notes Archives |
|||||||||||||||||||||||||||||||||
 |
||||||||||||||||||||||||||||||||||
