Exchange and ISA help

Trigger · 10 Jan 2007 at 23:43

Hi,

Hopefully we are soon to be implementing Microsoft Exchange Server 2007 and ISA Server 2006 and I have a few questions about the deployment process and security etc. I currently have it in a test environment as well so I can test out any suggestions

1.) Currently there is no edge transport server and the one exchange server with the hub transport role sends and receives all mail. Is this secure? Our email is sent through a smart host which apparantly has reverse DNS enabled which adds more security IIRC?

2.) Will a 3.0GHz Xeon with 1GB RAM run exchange ok?

3.) How do I setup ISA server to route email traffic through to the exchange server? I'm assuming I need to send all traffic for port 25 on to the exchange servers internal IP address as the only access exchange has to the internet is via the ISA server.

4.) What can I do for anti-virus and anti-spam protection? I was looking at Sophos PureMessage but this doesn't support Exchange 2007 yet and it looks like exchange forefront security is the only option but I'm not sure whether this will work without the edge transport server role installed.

5.) I'm concerned about security of OWA 2007. I've been watching the demos on the microsoft site and it seems users can upload and download files from the server from home which I don't want. I also don't want public folders which allow users to place files there (?) so is there anyway to remove this apart from just unmounting the public folder database?

6.) Any advice for extra security and installaton tips would be welcome

I'm sure I'll think of some more questions soon but any help with those would be much appreciated

Thanks

Ben

Trigger · 11 Jan 2007 at 12:57

Bump

LostCorpse · 11 Jan 2007 at 14:01

Curiosityx · 11 Jan 2007 at 14:16

It would help if you could specify the number of users who will be connecting to the exchange server and being authenticated via ISA.

You dont have to use an edge transport server although it is more secure as it acts as a medium between the DMZ which is where it would be placed and your internal mailbox server.

Port 25 is the only service that needs to be forwarded to the mailbox server.

Symantec AntiVirus for Exchange is what id recommend for protection on the server itself.

OWA is ver secure if configured correctly, you realy want to be using security on the connection though, SSL would be first choice.

bitslice · 11 Jan 2007 at 15:12

ISA questions...
http://www.isaserver.org

I'd be tempted to run the AV and A.Spam on the ISA server,
I'd always prefer to leave Exchange running on a clean machine,
- GFI and others do something suitable.

I wouldn't rely on Exchange to stop spam,
I've had to do some pretty fiddly scripting to keep our domain spam free.
3rd party stuff gives you a lot more flexibility

Any chance you could run the AV/Spam on a third box ?
it makes a hardware/software failure less of an issue.

Viruses via email are not a a big deal, block infectable attachments, and look out for new exploits of filetypes.
tbh. I've not seen a virus in years that wasn't .exe, .scr, .pif

my AV scanner hasn't got near a virus since it was installed, the filetype filter does it all :-/

Using ISA Server 2006 with Exchange 2007
www.microsoft.atat.at/technet/prodt...elp/53a0def9-b827-47dc-ad9a-7ecbe4fb31d7.mspx

Publishing Exchange 2007 OWA with ISA Server 2006
http://www.msexchange.org/tutorials/Publishing-Exchange-2007-OWA-ISA-Server-2006.html

Exchange Server 2007 Partners: Antivirus, Antispam
http://www.microsoft.com/exchange/partners/2007/antivirus.mspx

Exchange 2007 Processor and Memory Recommendations
http://msexchangeteam.com/archive/2006/11/27/431644.aspx

...looking at 2Gb min, exchange has always sucked up RAM

.

Trigger · 11 Jan 2007 at 17:48

Thanks for all the replies

Backup should be okay- IIRC there is an exchange agent for Symantec Veritas Backup which we already have so I think we will just need to purchase the extra agent. If not, is it possible to use the volume shadow copy service to back up an image of exchange and then back the image up as a normal file?

How would I go about running the exchange anti-virus and anti-spam software on the ISA server? Does it not need to be installed on the same box as exchange? It's got to go on either the ISA server or the exchange box- I don't think we can afford another one which is why I'm trying to do away with the edge transport server if possible :cool:

. (ISA server is a dual 2GHz Xeon with 1GB RAM BTW) Do GFI do education prices as well as I can't see any on the website? I'm going to give Sophos a call and see if they are planning to support exchange 2007 with puremessage as I'm fairly sure we will be able to get some kind of discount as the rest of the site is covered with sophos A/V.

For blocking certain attachment types- is this set in recepient policies somewhere?

Number of users will be about 700 Students and 100 Staff

With regards to public folders- is this just a folder somewhere where the files go? If so, could I just set deny permissions on it for everyone except domain admins or is it all stored in the public folder database?

With regards to OWA being secure when setup corrrectly, is there anything I should be aware of- i.e. options that are on by default that need to be off for example browsing server shares remotley which I don't want... Any tips on getting it setup securely would be brilliant

It will be on an SSL connection when I find out how to do it- I did have a tutorial somewhere but seem to have lost it

Thanks for all the help BTW, it's much appreciated.

Ben

zetec452 · 11 Jan 2007 at 19:19

800 users is going to require much more that a single cpu and 1 gig of ram.

Trigger · 11 Jan 2007 at 19:44

Well I can perhaps try and push it to 2GB but if it's all we can afford then it's all we can afford. The server we are getting has support for two CPUs so if it comes to it, we can always add a second CPU at a later date

It will only ever have about 5 users sending mail at the same time anyway so i'm fairly sure it will be fine :cool:

oddjob62 · 11 Jan 2007 at 20:35

Trigger said:
With regards to public folders- is this just a folder somewhere where the files go? If so, could I just set deny permissions on it for everyone except domain admins or is it all stored in the public folder database?

I have not had too much experience with 2007, but i seem to recall that you can install it without public folders if you want to (in fact i think this is the default) I assume this is to force people to move over to using Sharepoint.

zetec452 · 11 Jan 2007 at 21:03

Trigger said:
Well I can perhaps try and push it to 2GB but if it's all we can afford then it's all we can afford. The server we are getting has support for two CPUs so if it comes to it, we can always add a second CPU at a later date It will only ever have about 5 users sending mail at the same time anyway so i'm fairly sure it will be fine

With 5 users at a time it would be ok. ISA and exchange would prefer 2 gig of ram. You could also create a seperate volume for the page file which will help.

Trigger · 11 Jan 2007 at 21:04

oddjob62 said:
I have not had too much experience with 2007, but i seem to recall that you can install it without public folders if you want to (in fact i think this is the default) I assume this is to force people to move over to using Sharepoint.

Yeah, there is an option in setup- it's not default but it's there however it stops me using Outlook 2003 (Which it will be used with as well as OWA 2007) unless I create a public folder database manually

Is there another way to disable it?

Thanks for the replies btw

Ben

Trigger · 11 Jan 2007 at 21:10

JonRohan said:
With 5 users at a time it would be ok. ISA and exchange would prefer 2 gig of ram. You could also create a seperate volume for the page file which will help.

Okay thanks, I'll try and do that. Then again, anything will be better than what they are currently running on in the test network- the exchange server has dual 900MHz celerons with 786Mb RAM and 40GB of disk space and ISA is running on dual PIII's with 256Mb RAM with a 6GB IDE Hard Drive because the SCSI card packed up :cool:

zetec452 · 11 Jan 2007 at 21:11

:O. Dude. Thats not good. Talk about budgets.

bitslice · 11 Jan 2007 at 23:10

Trigger said:
For blocking certain attachment types- is this set in recepient policies somewhere?

I was referring to 3rd party apps that do email filtering, but I believe you can also configure MS Office to block whatever filetype you want.
Maybe Exchange 2007 can do it now too.

If you already have Sophos AV, you might as well stick with that, the less mgmt tools required the better.
If you already have AV on the desktop, (and you can block certain filetypes), then running AV on an Exchange/Gateway box is nice, but not always essential.
so I'd be tempted to wait for Sophos PureMessage

What kind of spam situation are you in ?
as some sites get swamped, some get away with very little junk

.

Trigger · 11 Jan 2007 at 23:53

Yeah, all the workstations have Sophos on them and it auto-shreds any files that are viruses. As for spam- we don't get any is the simple answer. The only address we have which does get spam is the one which is made publicly avaliable on the website but we can cope with that. If we did get PureMessage, how would I get it to run on the ISA server?

Also, do you have any tips for setting up OWA or is it just as simple as installing exchange then using the two wizards in ISA- publish mail server and publish exchange web access?

Thanks

Ben

Trigger · 13 Jan 2007 at 11:38

Right well I've managed to get it to send mail yesterday but for some reason it won't receive it. I've set the address in the accepted domains list but if I send an email from another email provider it returns it saying the sender couldn't be authenticated but I can't work out whether it is being returned by the ISA server or it's actually getting through to the exchange server and it's that that's not accepting the mail and returning it.

Thanks for any help,

Ben

oddjob62 · 13 Jan 2007 at 12:04

Trigger said:
Right well I've managed to get it to send mail yesterday but for some reason it won't receive it. I've set the address in the accepted domains list but if I send an email from another email provider it returns it saying the sender couldn't be authenticated but I can't work out whether it is being returned by the ISA server or it's actually getting through to the exchange server and it's that that's not accepting the mail and returning it.

If you try to send from in internal telnet connection on port 25 does that work? That should rule out ISA from the equation

Trigger · 13 Jan 2007 at 15:28

Right, I've never done this before but a quick google has given me a few pointers. Would I type something like this:

Code:

telnet victor.testnet.local 25  [ENTER]

helo zulu.rsc.local  [ENTER]

mail from: [email protected]  [ENTER]

rctp to: [email protected]  [ENTER]

data  [ENTER]

Test Email  [ENTER]

.  [ENTER]

quit  [ENTER]

Where 'victor' is the exchange server and 'zulu' is another server.

Does that seem right?

Thanks

Ben

Matt-Page · 13 Jan 2007 at 15:47

OK, you are definately going to need a better spec machine. Think about students sending emails with big attatchments, or loads of them chatting by email? Would you rather wait to get more money, or provide a carp service that is always down. Much hate to be had from this.

Sophos IMO is the best protection for exchange. I presume you already have AD up and working?

Public folders, file uploads can be restricted at admin level.

bitslice · 13 Jan 2007 at 15:52

Trigger said:
but I can't work out whether it is being returned by the ISA server or it's actually getting through to the exchange server

the route it takes should be in the headers ?

there should be an option for Exchange message logging somewhere, try turning that on

there should be something that sets the connector's permissions to allow anonymous users to submit mail
http://technet.microsoft.com/en-us/library/5683549a-4f48-429d-b353-cc2b7c784e29.aspx

no actual facts were used in this post
.