Check out ISA FP1; it includes a new RPC filter that makes encrypted RPC
for Exchange a brain-dead operation, and also adds an OWA wizard to make
web-publishing OWA another brain-dead operation.
http://microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-
af6c-5be084b345f9&DisplayLang=en
(watch out for the wrap beast).

* Jim Harrison
MCP(NT4/2K), A+, Network+
Security Business Unit (ISAQFE)

-----Original Message-----
From: Keith Smith [mailto:ksmithfiresnacks.com]
Sent: Monday, January 13, 2003 09:07
To: focus-mssecurityfocus.com
Subject: FW: AD replication over WAN

All:

I apologize for not being more specific... I was referring to using
OL2002 in MAPI mode. As I understand it, ISA server has publishing
rules to make the firewall config easy. In addition, I also read that
MAPI uses encryption of the RPC. Is anyone familiar with this?

The primary docs I was referring to are:

From Microsoft Exchange 2000 Server Hosting Series
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt
echn
ol/exchange/exchange2000/plan/exchterm.asp?frame=true

Chapter 3 (Planning) discuss clients.

Thanks
Keith

-----Original Message-----
From: Keith Smith [mailto:ksmithfiresnacks.com]
Sent: Monday January 13, 2003 10:53 AM
To: focus-mssecurityfocus.com
Subject: RE: AD replication over WAN

I have a similar question, though in application to Outlook 2002 clients
accessing an exchange server across the Internet. Microsoft claims that
with OL2002, clients don't need to employ a VPN across the internet, as
the RPC is all encrypted.

Would a VPN also be recommended in this instance given the observations
below?

Thanks
Keith

-----Original Message-----
From: Jim Harrison (SPG) [mailto:jmharrmicrosoft.com]
Sent: Sunday January 12, 2003 9:43 PM
To: Valentine M. Smith; focus-mssecurityfocus.com
Subject: RE: AD replication over WAN

Given that the replication path (port/protocol) is well-defined and
generally understood, it also makes sense that they could also provide a
"door" to your AD controllers for those who wish to do you harm for no
apparent reason.
 
With that in mind, it seems clear to me that a site-to-site VPN is not
only preferable, it's mandatory.
 
* Jim Harrison <mailto:jmharrmicrosoft.com>
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA)

________________________________

From: Valentine M. Smith [mailto:vmsmithgrokking.org]
Sent: Thu 1/9/2003 06:21
To: focus-mssecurityfocus.com
Subject: AD replication over WAN
         

Hi,

I'm looking for some feedback from the community regarding the transfer
of AD traffic over a public WAN.

The basic plan is this:

Single Win 2000 domain spread over two sites in different cities. Each
site has perimeter NAT device and are obscuring internal subnets with IP
addresses provided by a single ISP. No internetwork VPN planned. DNS is
AD-integrated at both sites. Both DCs are patched to SP3.

The MS documentation I've consulted indicates that AD replication, and
by extension, DNS zone information that is AD-integrated is
automatically encrypted.

My question: if the data is already encrypted and is passing only across
a single ISP's network, should one be bothering with a router-router VPN
tunnel for this traffic? IOW, would setting up such a tunnel for this
data be redundant/unnecessary or am I missing something important here?
Would anyone care to comment on the relative safety of AD encryption
out-of-the-box?

Thanks in advance for any feedback,

VS

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]