General discussion

Locked

Exchange from behind a proxy server

By wsmoth ·
I have several questions I will ask in one.
1) I want to put up an exchange server on the public side of my proxy server. Will my private network clients be able to connect to Exhanges' collaborative folders (i.e. 'All Public Folders' folder)?
2) How will I logon to my NT domain from the public side of the firewall?
3) How will private-side clients connect to my exchange server?
4) How do I set up my Linux Firewall to forward all those requests from both my clients and my server?

Any andall help will be appreciated.

This conversation is currently closed to new comments.

12 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Exchange from behind a proxy server

by mcessna In reply to Exchange from behind a pr ...

I've never used a Linux firewall but the concepts are the same. I have a Checkpoint Nokia IP330 appliance here.
1: Create a rule to allow any packet from the Exchange server IP to any internal IP on the private side. Also if you have limits on yourprivate to public connections you will have to add a rule for the private side IP's to connect to the exchange IP address.
2: You need to add a route on the Exchage server to go to the firewall. You can do this with a simple LMHOSTS file or add a static route into the route table of the Exchange box by using the ROUTE command.
3: Exchange must be a member of an NT Domain so either create a domain and trust your private side domain (presents some problems) or just let it join the provate domain (you must have an LMHOSTS entry for the domian controller)
4: Now when your Private side clients attempt to attach to the Exchange server their connections are directed through the proxy to the Exchange box. Since the Exchage box is in the privatedomain all authentic

Collapse -

Exchange from behind a proxy server

by wsmoth In reply to Exchange from behind a pr ...
Collapse -

Exchange from behind a proxy server

by mcessna In reply to Exchange from behind a pr ...

Got Cut off----
is handled through NT domain authentication.

Here's an example of the LMHOST entry for the Exchange server
xxx.xxx.xxx.xxx %servername% #PRE #DOM:%domainname%
If you need more info please feel free to email me.I'm not sure which linux firewall you are using but they all work basically the same and you should check to see how to allow and block connections so that you can allow the connections to and from the Exchange servers IP adddress.

Collapse -

Exchange from behind a proxy server

by wsmoth In reply to Exchange from behind a pr ...
Collapse -

Exchange from behind a proxy server

by McKayTech In reply to Exchange from behind a pr ...

I'm not real clear as to whether you have both a proxy server and a firewall or whether they are the same device. Also, putting an Exchange Server on the outside is kind of an usual approach but I'm sure you have a good reason.

At any rate, these are the firewall considerations that you'll have to address in your ipchains configuration:
1. to authenticate across the firewall, you'll have to open the NetBios ports (137/139 if I recall correctly)
2. to allow the Exchange server to communicate across the firewall, you will have to open port 135 for the RPC Endpoint Mapper and also two other ports of your choice above 1023. Then you will have to do a registry edit on the Exchange Server to change the default from dynamic RPC mapping to static ports corresponding to the two you chose. Microsoft has a pretty good article on this on TechNet (article Q155831).

Once that is set up, private-side clients would use Outlook or Exchange to connect just like normal.

regards!

paul

Collapse -

Exchange from behind a proxy server

by wsmoth In reply to Exchange from behind a pr ...
Collapse -

Exchange from behind a proxy server

by Aaron V In reply to Exchange from behind a pr ...

I'll start this with "Why do you want Excahnge on the Public side?" and go from there.

I would not do that. Maybe you are forced into this course of action from beyond your control, or maybe it makes sense in your environment. I propose a different track:
Use Exchange on the Private side of the firewall. Use your Outlook clients as normal.
To get access to Exchange from the outside use one or more of the following options:
1) Use a VPN. Setup FPN with a variety of firewall products. Connect as normal.
2) Use Outlook Web Access. Setup OWA on your Exchange and IIS systems (can be same box). Use your firewall to route incoming port 80 or 443 (SSL) to your OWA server. Use a browser on the public side.
3) Use POP3 or IMAP4 on Exchange and route the appropriate ports on the firewall to your Exchange server. Use a POP3 or IMAP4 client on the public side.

Your firewall can be configured with just about any linux ditribution. I have used FreeBSD, RedHat Linux, and Linux Router. Basically you

Collapse -

Exchange from behind a proxy server

by wsmoth In reply to Exchange from behind a pr ...
Collapse -

Exchange from behind a proxy server

by -Q-240248 In reply to Exchange from behind a pr ...

Exchange server should be behind the firewall. Especially with the proxy service and Ip addresses. You will be much more secure that way and can avoid hackers' IP spoffing, among many other security concerns. The only thing that should go on the other side of the firewall, or in a DMZ, is Internet Inormation servers.

Collapse -

Exchange from behind a proxy server

by wsmoth In reply to Exchange from behind a pr ...
Back to Windows Forum
12 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums