Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Module 12 Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 5: Configuring Access to Internal Resources.
Chapter 7 HARDENING SERVERS.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Securing the Perimeter – Exchange and VPN Access with ISA Server 2004 Jamie Sharp CISSP Security Advisor Amit Pawar National Technology Specialist Microsoft.
Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
1 Integrating ISA Server and Exchange Server. 2 How works.
Implementing Exchange Server Security Ward Solutions.
1 Enabling Secure Internet Access with ISA Server.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
Module 8: Managing Client Configuration and Connectivity.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
Web Server Administration Chapter 10 Securing the Web Environment.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Securing Microsoft® Exchange Server 2010
Module 6: Manage and Configure Messaging. Configuring Internet Mail Using Small Business Server (SBS) 2008 Console Configuring Protection Configuring.
Chapter 6: Packet Filtering
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Module 2 Designing Microsoft® Exchange Server 2010 Integration with the Current Infrastructure.
By: Bill Stevenson Jose Plancarte Erik Magsino. Overview Messaging and collaboration server Send and Receive electronic mail and other forms of interactive.
Module 14: Configuring Server Security Compliance
Module 6 Planning and Deploying Messaging Security.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Seven Configuring and Managing Exchange Server.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Module 4 Planning and Deploying Client Access Services in Microsoft® Exchange Server 2010 Presentation: 120 minutes Lab: 90 minutes After completing.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Module 7: Managing Message Transport. Overview Introduction to Message Transport Implementing Message Transport.
Module 9: Implementing Caching. Overview Caching Overview Configuring General Cache Properties Configuring Cache Rules Configuring Content Download Jobs.
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
Module 12 Upgrading from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010.
Module 11 Upgrading to Microsoft ® Exchange Server 2010.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
1 Installing and Maintaining ISA Server Planning an ISA Server Deployment Understand the current network infrastructure. Review company security.
Module 7: Advanced Application and Web Filtering.
Module 11: Designing Security for Network Perimeters.
Module 7: Implementing Security Using Group Policy.
Security fundamentals Topic 9 Securing internet messaging.
Module 10: Windows Firewall and Caching Fundamentals.
Implementing Microsoft Exchange Online with Microsoft Office 365
Module 11: Designing an Active Directory Federation Services Implementation in Windows Server 2008.
Module 12: Implementing ISA Server 2004 Enterprise Edition: Back-to-Back Firewall Scenario.
More Power Out: Empowering your mobile workforce Damir Bersinic IT Pro Advisor Microsoft Canada Rick.
SEC304 Enhancing Exchange, OWA and IIS Security with ISA Server Feature Pack 1 Steve Riley Microsoft Corporation
How To Protect Your Network Using ISA Server 邹方波 微软认证讲师 广州嘉为计算机网络教育中心.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Module 8 Implementing Security Using Group Policy.
Securing the Network Perimeter with ISA Server 2004 Ravi Sankar IT Professional Evangelist Microsoft.
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
Module 3: Enabling Access to Internet Resources
Enabling Secure Internet Access with TMG
Configuring Windows Firewall with Advanced Security
Implementing TMG Server Publishing
IIS.
Presentation transcript:

Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server

Overview Issues in Security Configuring ISA Server to Secure SMTP Traffic Configuring ISA Server to Secure Web Client Connections Configuring ISA Server to Secure Client Connections

Lesson: Issues in Security Security Threats Overview Access Using Web Clients Access Using Outlook Clients Access Using POP3, IMAP4, and NNTP Clients SMTP Protocol-Level Exploits Unwanted and Malicious How ISA Server 2004 Secures Exchange Server

Security Threats Overview Ensuring the security of includes: Ensuring that all client connections to the server are secure Protecting the servers from SMTP exploits Preventing unwanted or malicious s from entering the organization’s network Ensuring that all client connections to the server are secure Protecting the servers from SMTP exploits Preventing unwanted or malicious s from entering the organization’s network

Access Using Web Clients Outlook Mobile Access XHTML, cHTML, HTML ActiveSync Enabled Mobile Devices ISA Server Outlook Web Access Exchange Front-End Server Exchange Back-End Servers Wireless Network

Outlook RPC Connections Outlook RPC over HTTP Connections Access Using Outlook Clients Port 135 and dynamic ports Port 80 or 443 Exchange Back-End Servers Exchange Back-End Servers Exchange Front-End Server Exchange Front-End Server ISA Server

POP3 Connections IMAP4 Connections Access Using POP3, IMAP4, and NNTP Clients Port 110 or 995 Port 25 Port 143 or 993 Port 25 Exchange Back-End Servers Exchange Back-End Servers Exchange Front-End Server Exchange Front-End Server ISA Server

SMTP Protocol-Level Exploits SMTP servers can be vulnerable to: Buffer overflow attacks when SMTP commands are sent with more than expected data, causing memory buffer overflows Mail relay attacks when an SMTP server is used to forward unwanted to Internet recipients SMTP command attacks where SMTP commands are used to compromise the server or gain information about the server or recipients on the server Buffer overflow attacks when SMTP commands are sent with more than expected data, causing memory buffer overflows Mail relay attacks when an SMTP server is used to forward unwanted to Internet recipients SMTP command attacks where SMTP commands are used to compromise the server or gain information about the server or recipients on the server

Unwanted and Malicious Unwanted is unsolicited commercial that: Consumes server and network resources Reduces user productivity and increases administrative effort Can be filtered using an application-level filter May result in exposure to legal liability Consumes server and network resources Reduces user productivity and increases administrative effort Can be filtered using an application-level filter May result in exposure to legal liability Malicious s contain viruses or worms that: Damage data or computers or consume network and computer resources Increase administrative cost and effort Increase the risk of an information leak Damage data or computers or consume network and computer resources Increase administrative cost and effort Increase the risk of an information leak

How ISA Server 2004 Secures Exchange Server Exchange Back-End Servers Exchange Back-End Servers Exchange Front-End Server Exchange Front-End Server Mail publishing wizards Filtering unwanted SMTP command filtering SMTP command filtering Secure access for Outlook clients Secure access for Outlook clients Secure access for Web clients ISA Server

Lesson: Configuring ISA Server to Secure SMTP Traffic How ISA Server Secures SMTP Traffic How to Configure ISA Server to Secure SMTP Traffic How SMTP Filtering Works How to Configure the SMTP Application Filter How SMTP Message Screener Works How to Implement SMTP Message Screener Integrating ISA Server and Exchange Server to Secure SMTP Traffic

How ISA Server Secures SMTP Traffic Exchange Back-End Servers Exchange Back-End Servers Exchange Front-End Server Exchange Front-End Server Use Mail Publishing Wizard to publish SMTP Servers Use SMTP message screener to filter unwanted Use SMTP application filter to filter SMTP commands SMTP Server ISA Server

To configure ISA Server to secure SMTP traffic: Configure the internal SMTP servers as SecureNAT clients 3 3 Configure an access rule for internal SMTP servers to send to the Internet 4 4 Configure DNS so the Internal SMTP servers can resolve Internet host names 5 5 Use the Mail Server Publishing Wizard to publish the SMTP server 2 2 Configure MX records on the Internet servers to refer to the computer running ISA Server 1 1 How to Configure ISA Server to Secure SMTP Traffic

Practice: Publishing an SMTP Server Creating the Internet DNS records Configuring a new SMTP mail server publishing rule Configuring outbound SMTP traffic Testing SMTP traffic flow Internet Den-ISA-01 Den-DC-01 Gen-Web-01 Den-Msg-01

How SMTP Filtering Works Exchange Back-End Servers Exchange Back-End Servers Exchange Front-End Server Exchange Front-End Server EHLO contoso.com Mail from: Rcpt to: Data EHLO contoso.com Mail from: Rcpt to: Data Is the … Command allowed? Command length allowed? SMTP Server ISA Server

How to Configure the SMTP Application Filter

How SMTP Message Screener Works Exchange Back-End Servers Exchange Back-End Servers IIS 6.0 With SMTP Service IIS 6.0 With SMTP Service Is the … Source Host allowed? Source Domain allowed? Attachment allowed? Keyword blocked? SMTP Server Install Message Screener ISA Server

To implement SMTP message screener: Configure an SMTP mail server publishing rule that publishes the SMTP server running message screener 3 3 Configure the message screener settings on the SMTP filter 4 4 Install the SMTP message screener on the IIS server 2 2 Install the SMTP service on an IIS 5.0 or IIS 6.0 server 1 1 How to Implement SMTP Message Screener

Practice: Implementing SMTP Message Screener Install the SMTP service on the computer running ISA Server Install the SMTP message screener Configure the SMTP message screener Test the SMTP message screener Internet Den-ISA-01 Den-DC-01 Gen-Web-01 Den-Msg-01

Integrating ISA Server and Exchange Server to Secure SMTP Traffic You can deploy message screener: On the computer running ISA Server. This option is the easiest to configure but least secure On an IIS server in the internal or perimeter network. Using a server in the perimeter network is most complicated to configure, but most secure To filter only inbound messages. Configure ISA Server to publish the message screener server, and configure access rules for the internal SMTP servers to send to the Internet To filter inbound and outbound messages. Configure ISA Server to publish the message screener server, and configure the internal SMTP servers to route messages to the message screener server On the computer running ISA Server. This option is the easiest to configure but least secure On an IIS server in the internal or perimeter network. Using a server in the perimeter network is most complicated to configure, but most secure To filter only inbound messages. Configure ISA Server to publish the message screener server, and configure access rules for the internal SMTP servers to send to the Internet To filter inbound and outbound messages. Configure ISA Server to publish the message screener server, and configure the internal SMTP servers to route messages to the message screener server

Lesson: Configuring ISA Server to Secure Web Client Connections How Does ISA Server Secure OWA Connections? How to Configure ISA Server to Enable OWA Access How to Configure Forms-Based Authentication How to Configure ISA Server to Enable Access for Other Web Clients

How Does ISA Server Secure OWA Connections? Exchange Back-End Servers Exchange Back-End Servers Exchange Front-End Server Exchange Front-End Server OWA Client OWA Client Use Mail Publishing Wizard to publish OWA Servers Configure attachment blocking Use forms-based authentication to avoid secure user logon ISA Server

To configure ISA Server to enable OWA access: Configure a bridging mode. For best security, secure the connection from client to ISA Server and from ISA Server to OWA server 3 3 Configure a Web listener for OWA publishing. Choose forms-based authentication and SSL for the Web listener 4 4 Use the Mail Server Publishing Wizard to publish the OWA server 2 2 Install a digital certificate on the OWA server and configure IIS to require SSL connections to the OWA virtual directories 1 1 How to Configure ISA Server to Enable OWA Access

How to Configure Forms-Based Authentication

How to Configure ISA Server to Enable Access for Other Web Clients Publishing Exchange server virtual directories for OMA and Activesync clients Publishing Exchange server virtual directories for OMA and Activesync clients

Practice: Configuring ISA Server for Secure OWA Connections Installing a certificate on the OWA server Configuring IIS to require SSL on the virtual directories used by OWA Configuring an Outlook Web Access publishing rule Testing the Outlook Web Access publishing rule Internet Den-ISA-01 Den-DC-01 Gen-Web-01 Den-Msg-01

Lesson: Configuring ISA Server to Secure Client Connections Multimedia: Connecting MAPI Clients to Exchange Server Through a Firewall How ISA Server Secures Outlook RPC Connections About RPC over HTTP How to Configure RPC over HTTP Enabling Access for POP3 and IMAP4 Clients

Multimedia: Connecting MAPI Clients to Exchange Server Through a Firewall

How ISA Server Secures Outlook RPC Connections Outlook Client Outlook Client Exchange Servers Exchange Servers ISA Server Port 135 Exchange UUID=3000 Exchange UUID=2000

Internet Den-ISA-01 Den-DC-01Den-Msg-01 Practice: Configuring ISA Server to Secure Outlook RPC Connections Configuring an Outlook RPC publishing rule Testing the Outlook RPC publishing rule Den-Clt-01

About RPC over HTTP RPC over HTTP requires: Exchange Server 2003 running on Windows Server 2003 and Windows Server 2003 global catalog servers Outlook 2003 running on Windows XP Windows Server 2003 server running RPC proxy server with the Exchange and domain controller service port numbers defined in the registry A modified Outlook profile that connects to the Exchange server using HTTPS

How to Configure RPC over HTTP To enable RPC over HTTP, publish the /rpc/* virtual directory To enable RPC over HTTP, publish the /rpc/* virtual directory

Enabling Access for POP3 and IMAP4 Clients Configure the Required ports Configure the Required ports Configure secure Ports to enable SSL security Configure secure Ports to enable SSL security

Lab: Integrating ISA Server 2004 and Microsoft Exchange Server Exercise 1: Enabling RPC over HTTP Client Connections Exercise 2: Configuring a Forms-Based Authentication for Outlook Web Access Internet Den-ISA-01 Den-DC-01Den-Msg-01 Den-Clt-01