Implementing Exchange Server 2010 requires ports to be opened for the server and clients to communicate with one another. The necessary ports are opened to support communication through the Windows Firewall which filters inbound and outbound traffic based on firewall rules. Fortunately Exchange Server 2010 setup creates Windows Firewall rules that support those operations. In the past, administrators needed to use the Security Configuration Wizard (SCW) to open up those ports but as of 2010 this is no longer necessary.

Under certain circumstances some of these ports are not opened such as the following:

1. On servers that have Internet Information Services (IIS) installed, Windows opens the HTTP (port 80, TCP) and HTTPS (port 443, TCP) ports. Exchange Server 2010 Setup does not open these ports.
2. On Windows Server 2008 and Windows Server 2008 Release 2, Windows Firewall with Advanced Security allow administrators more latitude in how and when a port is opened. For instance, an administrator can specify the process or service to associate with a port that can then be opened. Being able to create a rule that associates the opening of a port with a process or a service adds another granular level of security. Exchange Setup can create firewall rules using a specified process or service. Additionally, rules that are not restricted to the process or service may also be created for compatibility reasons. Such compatibility rules will contain the word (GFW) in the rule name. An administrator can disable or remove these additional compatibility rules if they do not believe they are necessary.
3. Inside Exchange server there are a lot of services that use remote procedure calls (RPCs) for communications with the host servers. The processes and services that need to communicate with the Exchange server are not allowed to assign their own port numbers. If they were allowed to do so then there would be many problems and difficulties in completing communications. To avoid these conflicts, multiple processes and services must register with the RPC service to request a port number for communications with the server. The client connects to the server on TCP port 135 – the RPC Endpoint Mapper service, receives an assigned port number, and then continues communication to the server with the newly acquired port number.

This is where Exchange 2010 Setup comes into play. Exchange 2010 Setup will create two firewall rules for a process that uses RPCs. One rule is used for the process to communicate with the RPC Endpoint Mapper. The other rule is used for communications to the server with the newly acquired port number.

Continue reading Troubleshooting Exchange and Firewall Rules

Besides protecting your incoming email, authenticating your users and authorizing access you will also worry about how to secure your servers. One of the ways of securing your servers is to build a moat around them, to make it difficult for entry or otherwise hinder access to your servers.

To do this you can build a Demilitarized Zone (DMZ) within your network. The first Demilitarized Zone created was the strip of land between North Korea and South Korea after the cease fire of July 17, 1953. 

In a computer environment, a DMZ is an area of your network that sits between your secured protected internal LAN and the unprotected unsecured internet.

Continue reading Why You Need a DMZ

The National Cyber Security Alliance (NCSA) has announced their annual campaign for cyber-security awareness.

Awareness, more than anything, is the most important weapon in securing your enterprises and ensuring that malware doesn’t sneak in through your email servers. Awareness? Doesn’t everybody know about the dangers lurking in cyberspace by now? What we folks in the IT business take for granted is often unknown or ignored by ordinary users. When we get emails from a deposed general of a third world country, asking for assistance in moving $40 million into the US, and offering a percentage for the service, our immediate reaction is to simply delete the email. It’s a painfully obvious scam to most of us and we pay it no attention. But yet, they keep coming in every day. Why do people keep sending out these pathetic attempts to get our bank account numbers? Simple. Because not everybody is aware that it is a scam.

Continue reading Confusion over cyber-security