ISA Server 2004 UNLEASHED [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

ISA Server 2004 UNLEASHED [Electronic resources] - نسخه متنی

Michael Noel

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید






Securing Exchange MAPI Access


The Message Application Programming Interface (MAPI) has traditionally been used for communications between the client and an Exchange server. This type of traffic is highly functional, but can pose a security threat to an Exchange server because it requires the use of the dangerous Remote Procedure Call (RPC) protocol, which has become notorious through recent exploits that take advantage of the open nature of the RPC protocol to take over services on poorly coded services.

In the past, organizations have been handcuffed by the fact that blocking RPC requires blocking a huge range of ports (all dynamic ports from 1024 to 65,536, plus others) because of the dynamic nature in which RPC works. Blocking RPC access to an Exchange server was not feasible either. This type of block would also block client access through MAPI, effectively crippling email access to an Exchange server.

ISA Server 2004 greatly simplifies and secures this process through its capability to filter RPC traffic for specific services, dynamically opening only those ports that are negotiated for use with MAPI access itself. This greatly limits the types of exploits that can take advantage of an Exchange server that is protected with MAPI filtering techniques.

Configuring MAPI RPC Filtering Rules


To configure an ISA Server to filter and allow only MAPI access across particular network segments, use the following technique:


1.

From the ISA console, navigate to the Firewall Policy node in the console tree.

2.

In the Tasks tab, click on the link for Publish a Mail Server.

3.

Enter a name for the rule, such as MAPI Access from Clients Network, and click Next.

4.

Select Client Access from the list of access types and click Next.

5.

Check the box for Outlook (RPC), as shown in Figure 13.18, and click Next to continue.

Figure 13.18. Enabling a MAPI filtering rule.

6.

Enter the IP address of the Exchange server that is to be published and click Next.

7.

Select from which networks the rule will listen to requests, and click Next to continue.

8.

Click Finish, Apply, and OK.


To set up more advanced MAPI filtering, examine the Traffic tab of the rule that was created and click on Filtering, Configure Exchange RPC and/or the Properties buttons, and finally choosing the Interface tab. Advanced settings, such as which UUIDs to allow, can be found here, as shown in Figure 13.19.

Figure 13.19. Examining advanced MAPI filtering.

Deploying MAPI Filtering Across Network Segments


Where MAPI filtering really shines is in scenarios where the ISA Server is used to protect a server's network from the clients network in an organization, similar to what is shown in Figure 13.20.

Figure 13.20. Isolating and securing an Exchange environment behind an internal ISA firewall.

[View full size image]

In these scenarios, the ISA Server acts as an Exchange firewall, providing secured mail, OWA, POP, and any other necessary services to the ISA Server through a secured, Application-layer filtered environment. This type of deployment scenario is very useful for organizations that want to reduce the exposure to security threats faced from unruly or exploited clients. It allows for a great degree of control over what type of access to an Exchange environment can be set up.


/ 191