Remotely access Exchange server 1

[bsingin64]

Hello all, A while back I was able to access my Exchange server from a remote location, by setting up the remote location as if I were still in the network. I would setup an Outlook client (at home on Cable modem) with Exchange server, as the email account. It would successfully access the server, and i could use my Exchange account at home...it was great. Recently, I think i made a change to the server that didnt allow me to do it. The remote client keeps trying for hours and sending lots of network traffic, but never gets completely logged onto the server. Im wondering if anyone else is able to use their Exchange server remotely, and if so, let me know what settings i messed up that isnt allowing me to do it. The server is exposed to the internet on port HTTP,SMTP,PPTP,L2TP,TELNET (and numerous others), and it successfully serves OWA, and IIS intranet website. Im running Exchange 2000 SP2, but the problem started with OEM(no SP's).

Hope we can figure this one out!! :O)

Thanks alot, Brandon

 

[Xybertron]

Do a netmon capture and look at the MSRPC.

You can ping the server by name and FQDN right? If not make a host file.

If none of this leads you anywhere setup Outlook to use POP3 and SMTP. Dan
Microsoft Exchange Support @ Microsoft

 

[yizhar]

HI.

First of all remember this:
If you can access your server from the Internet, it means that some other Milions can either!
You must be very restrictive on remote access or you will soon get it..

Now, there are several different ways to have remote access, and it depends on your needs, data security policy, and other factors.

One way is accessing the server using VPN tunnels.

In any case, I have 2 more tips to you, not directly related to your question but can save you some in the future:

1) Make sure you installed SP2 for W2K, then go to MS download site and install SRP1 for W2K.

2) Ask a security expert to help you redesign your data security policy.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[bsingin64]

Xybertron: I can ping my server through Ip and DNS records that I have placed on the net. I can Telnet into my server on port 25. I have been using my server as a Pop3 server since the problem arose. I can still get to my inbox. But I need to have Calander,Notes,Tasks, and everything else with Exchange. Also, i have more than one inbox (rooted folders) So It works only for email's primary inbox. I will try the netmon. What will i be looking for in the RPC? a High number or Low number. And what do I do with that information.

Yizhar: I understand the hazard, and I might have made it sound a little more dangerous than it seems. I have stateful packet inspection and many firewall rules that are customized on the server with a software firewall. So only what and who i want in will get in. Also, VPN in this situation would be more work than I think is worth. However it is an option. In this situation..I wanted to be able to tell my users how to get onto their exchange email from home (not OWA) without making it hard on them. If you know a way to establish a VPN automatically upon recieving authenticated smtp requests that would be great...But i HIGHLY doubt that is possible.

Thanks for your suggestions and help...Keep it coming!!!
Brandon

 

[Xybertron]

RPC is the means of communication in the default Exchange Server profile. You can see what is going on. Dan
Microsoft Exchange Support @ Microsoft

 

[bsingin64]

So im on my exchange server, at work, and i REmote to my home computer....i start Outlook and start monitoring ports on my router to see what traffic is coming through...the ports were 135 1026 and 1222, i checked to see which of those ports were being forwarded to my server 192.168.1.205, and only 135 (SMTP) port was being forwarded...I opened up the other two ports and directed them to my exchange server and it works...i can log onto my exchange server from home. Now the only problem is. It takes about 50 seconds to log onto the mailbox. I think it may be because of network traffic used to transfer the Mailbox info, but it could also be the authentication process taking a long time because it has to travel through the internet to do it. I will look into it.

 

[Xybertron]

135 is not SMTP! It is RPC Endpoint Mapper and needs to be open for RPC.

Also 1026 and 1222 are infimeral ports and aren't going to be the same each time unless you statically map them.

I didn't know you were blocking ports...

As I said before RPC sucks over the internet. Dan
Microsoft Exchange Support @ Microsoft

 

[bsingin64]

Sorry i didnt know what 135 was..I asumed SMTP. The other two ports are dynamic? What is sent over them,? was i right that they send authentication info?

 

[Xybertron]

RPC maps a port for the client. Then all talk after that is on these ports. Authentication as well as mail. Basically almost everything Outlook does. Dan
Microsoft Exchange Support @ Microsoft

 

[SteveTheGeek]

Just out of curiousity, since Outlook Web Access on Exchange2000 (I think) gives you access to calendar, notes, tasks, etc, and is probably more responsive (particularly if they're on a dial-up), and is far far easier for a user to set up (oh and can be accessed from machines that don't have Outlook installed), I'm wondering why you haven't used that instead of RPCing over the internet using the full Outlook client.

I've had it running for a couple weeks and it's so well-liked that I'm now being asked about customizations to the OWA "web site." I cringe at the thought of trying to talk my users through setting up a full Outlook client at home.
-Steve

 

[bsingin64]

I have used OWA, the only reason i wanted the Outlook client to be used is because im spoiled, and greedy..I wanted Outlook...and it works....it just takes about 50 seconds to start ...after that its fine...full speed.....


Mparra...That is a different question and should not be posted on this one.

 

[SteveTheGeek]

Spoiled and greedy is fine. <grin> Thanks, I was just curious if there was a downfall to OWA that I wasn't aware of.
-Steve

 

[meekrob]

I hope these ports are open to only certain IP's, and even so you are exposing yourself to man in the middle attacks with your current setup. Stateful packet inspection only means your firewall is sophisticated enough to track the state of a connection. Using telnet to adminstrate your Exchange server is an invitation to get hacked, especially from a cable modem network. All your traffic is sent plain text and can easily be sniffed by anybody in your neighborhood.

Yizhar is right. You are in extreme danger of being hacked if you haven't been already. The only way to do this right is to set up a VPN and open a tunnel whenever you use Outlook.

If you don't believe us that is your decision. But I highly suggest you take some time to download a portscanner, and a sniffer. Read up on the applications that have ports open to the internet and make sure they are secure and patched.

For your sake I hope you have patched these:

http://zdnet.com.com/2100-1104-834113.html

Microsoft rates this vulnerability as a medium risk, but other organizations say it's more serious. For example, the U.S. Government's Computer Incident Advisory Capability (CIAC) flagged the risk as &quot;high&quot;.