Implementing Exchange Server 2010 requires ports to be opened for the server and clients to communicate with one another. The necessary ports are opened to support communication through the Windows Firewall which filters inbound and outbound traffic based on firewall rules. Fortunately Exchange Server 2010 setup creates Windows Firewall rules that support those operations. In the past, administrators needed to use the Security Configuration Wizard (SCW) to open up those ports but as of 2010 this is no longer necessary.

Under certain circumstances some of these ports are not opened such as the following:

1. On servers that have Internet Information Services (IIS) installed, Windows opens the HTTP (port 80, TCP) and HTTPS (port 443, TCP) ports. Exchange Server 2010 Setup does not open these ports.
2. On Windows Server 2008 and Windows Server 2008 Release 2, Windows Firewall with Advanced Security allow administrators more latitude in how and when a port is opened. For instance, an administrator can specify the process or service to associate with a port that can then be opened. Being able to create a rule that associates the opening of a port with a process or a service adds another granular level of security. Exchange Setup can create firewall rules using a specified process or service. Additionally, rules that are not restricted to the process or service may also be created for compatibility reasons. Such compatibility rules will contain the word (GFW) in the rule name. An administrator can disable or remove these additional compatibility rules if they do not believe they are necessary.
3. Inside Exchange server there are a lot of services that use remote procedure calls (RPCs) for communications with the host servers. The processes and services that need to communicate with the Exchange server are not allowed to assign their own port numbers. If they were allowed to do so then there would be many problems and difficulties in completing communications. To avoid these conflicts, multiple processes and services must register with the RPC service to request a port number for communications with the server. The client connects to the server on TCP port 135 – the RPC Endpoint Mapper service, receives an assigned port number, and then continues communication to the server with the newly acquired port number.

This is where Exchange 2010 Setup comes into play. Exchange 2010 Setup will create two firewall rules for a process that uses RPCs. One rule is used for the process to communicate with the RPC Endpoint Mapper. The other rule is used for communications to the server with the newly acquired port number.

Although an administrator cannot modify the Windows Firewall rules created by Exchange 2010 Setup then can create custom rules based on them. Administrators can also delete or disable them. When troubleshooting a break in email communications, administrators should review the Firewall rules to see if any parameters have changed.

This table shows some of the Windows Firewall rules created by Exchange Setup. Ports that are opened for each server role are also listed. Windows Firewall with the Advanced Security MMC snap-in can be used to view these rules.

Troubleshooting Exchange and Firewall Rules

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Besides protecting your incoming email, authenticating your users and authorizing access you will also worry about how to secure your servers. One of the ways of securing your servers is to build a moat around them, to make it difficult for entry or otherwise hinder access to your servers.

To do this you can build a Demilitarized Zone (DMZ) within your network. The first Demilitarized Zone created was the strip of land between North Korea and South Korea after the cease fire of July 17, 1953. 

In a computer environment, a DMZ is an area of your network that sits between your secured protected internal LAN and the unprotected unsecured internet.

Your DMZ will contain your servers such as web servers, FTP servers, mail servers and DNS servers. These servers will be protected by two firewalls. One firewall configured with lots of restrictions protects your internal network from the DMZ. On the other side of the DMZ, connecting to the internet, will sit a second firewall which protects your DMZ from the outside world.

It obviously makes no sense to put your web servers inside the firewall because then they’re open to attacks. And if you put them outside the firewall then you’re open to even more attacks. So by placing a firewall on both sides of your web, FTP, email and DNS servers you are providing a safe place for them to operate without exposure to attacks.

The idea is to place all of your publicly accessible services in an area where they can be more closely monitored. But at the same time keep them separate from your internal network where your company sensitive information exists such as company confidential documents and employee information.

Your firewall can be a computer hardware system or network resource that is running special software or packet-filtering software and may or may not be running as a proxy server.

Firewall hardware vendors include such large networking and communications companies as Cisco Systems, Inc to a venture-funded Isreali startup, Yoggie Security Systems who makes a tiny firewall device for Windows based laptops.

Why You Need a DMZ

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The National Cyber Security Alliance (NCSA) has announced their annual campaign for cyber-security awareness.

Awareness, more than anything, is the most important weapon in securing your enterprises and ensuring that malware doesn’t sneak in through your email servers. Awareness? Doesn’t everybody know about the dangers lurking in cyberspace by now? What we folks in the IT business take for granted is often unknown or ignored by ordinary users. When we get emails from a deposed general of a third world country, asking for assistance in moving $40 million into the US, and offering a percentage for the service, our immediate reaction is to simply delete the email. It’s a painfully obvious scam to most of us and we pay it no attention. But yet, they keep coming in every day. Why do people keep sending out these pathetic attempts to get our bank account numbers? Simple. Because not everybody is aware that it is a scam.

Do people understand the dangers of the Internet, and do they have adequate protection in place? Not really. And even if they do understand the risks, most people just aren’t as protected as they like to believe. A study conducted by NCSA this month showed that over 80 percent of American computer users reported having a firewall installed, but only 42 percent had adequate firewall protection. The study also showed a big disparity between the percentage of people who use anti-virus and anti-spam protection, and the number of people who feel safe from hacker attacks.

NCSA offers several suggestions for staying safe online, and while these suggestions may seem obvious to most, we must take measures to make sure every user is aware of the risks and understands how to safely use email. Their suggestions include protecting your identity, and exercising extreme caution when sharing things like social security numbers and birth dates. The NCSA also advises us to stay up to date on all security tools, and to learn how to “email safely”–and learn how to spot the signs of a fraudulent email.

Confusion over cyber-security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators