I apologize for not being more specific... I was referring to using OL2002
in MAPI mode. As I understand it, ISA server has publishing rules to make
the firewall config easy. In addition, I also read that MAPI uses
encryption of the RPC. Is anyone familiar with this?
The primary docs I was referring to are:
From Microsoft Exchange 2000 Server Hosting Series
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt
echn
ol/exchange/exchange2000/plan/exchterm.asp?frame=true
Chapter 3 (Planning) discuss clients.
Thanks
Keith
-----Original Message-----
From: Keith Smith [mailto:ksmith (at) firesnacks (dot) com [email concealed]]
Sent: Monday January 13, 2003 10:53 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: AD replication over WAN
I have a similar question, though in application to Outlook 2002 clients
accessing an exchange server across the Internet. Microsoft claims that with
OL2002, clients don't need to employ a VPN across the internet, as the RPC
is all encrypted.
Would a VPN also be recommended in this instance given the observations
below?
Thanks
Keith
-----Original Message-----
From: Jim Harrison (SPG) [mailto:jmharr (at) microsoft (dot) com [email concealed]]
Sent: Sunday January 12, 2003 9:43 PM
To: Valentine M. Smith; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: AD replication over WAN
Given that the replication path (port/protocol) is well-defined and
generally understood, it also makes sense that they could also provide a
"door" to your AD controllers for those who wish to do you harm for no
apparent reason.
With that in mind, it seems clear to me that a site-to-site VPN is not only
preferable, it's mandatory.
* Jim Harrison <mailto:jmharr (at) microsoft (dot) com [email concealed]>
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA)
________________________________
From: Valentine M. Smith [mailto:vmsmith (at) grokking (dot) org [email concealed]]
Sent: Thu 1/9/2003 06:21
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: AD replication over WAN
Hi,
I'm looking for some feedback from the community regarding the transfer of
AD
traffic over a public WAN.
The basic plan is this:
Single Win 2000 domain spread over two sites in different cities. Each site
has perimeter NAT device and are obscuring internal subnets with IP
addresses
provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
at both sites. Both DCs are patched to SP3.
The MS documentation I've consulted indicates that AD replication, and by
extension, DNS zone information that is AD-integrated is automatically
encrypted.
My question: if the data is already encrypted and is passing only across a
single ISP's network, should one be bothering with a router-router VPN
tunnel
for this traffic? IOW, would setting up such a tunnel for this data be
redundant/unnecessary or am I missing something important here? Would anyone
care to comment on the relative safety of AD encryption out-of-the-box?
I apologize for not being more specific... I was referring to using OL2002
in MAPI mode. As I understand it, ISA server has publishing rules to make
the firewall config easy. In addition, I also read that MAPI uses
encryption of the RPC. Is anyone familiar with this?
The primary docs I was referring to are:
From Microsoft Exchange 2000 Server Hosting Series
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt
echn
ol/exchange/exchange2000/plan/exchterm.asp?frame=true
Chapter 3 (Planning) discuss clients.
Thanks
Keith
-----Original Message-----
From: Keith Smith [mailto:ksmith (at) firesnacks (dot) com [email concealed]]
Sent: Monday January 13, 2003 10:53 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: AD replication over WAN
I have a similar question, though in application to Outlook 2002 clients
accessing an exchange server across the Internet. Microsoft claims that with
OL2002, clients don't need to employ a VPN across the internet, as the RPC
is all encrypted.
Would a VPN also be recommended in this instance given the observations
below?
Thanks
Keith
-----Original Message-----
From: Jim Harrison (SPG) [mailto:jmharr (at) microsoft (dot) com [email concealed]]
Sent: Sunday January 12, 2003 9:43 PM
To: Valentine M. Smith; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: AD replication over WAN
Given that the replication path (port/protocol) is well-defined and
generally understood, it also makes sense that they could also provide a
"door" to your AD controllers for those who wish to do you harm for no
apparent reason.
With that in mind, it seems clear to me that a site-to-site VPN is not only
preferable, it's mandatory.
* Jim Harrison <mailto:jmharr (at) microsoft (dot) com [email concealed]>
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA)
________________________________
From: Valentine M. Smith [mailto:vmsmith (at) grokking (dot) org [email concealed]]
Sent: Thu 1/9/2003 06:21
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: AD replication over WAN
Hi,
I'm looking for some feedback from the community regarding the transfer of
AD
traffic over a public WAN.
The basic plan is this:
Single Win 2000 domain spread over two sites in different cities. Each site
has perimeter NAT device and are obscuring internal subnets with IP
addresses
provided by a single ISP. No internetwork VPN planned. DNS is AD-integrated
at both sites. Both DCs are patched to SP3.
The MS documentation I've consulted indicates that AD replication, and by
extension, DNS zone information that is AD-integrated is automatically
encrypted.
My question: if the data is already encrypted and is passing only across a
single ISP's network, should one be bothering with a router-router VPN
tunnel
for this traffic? IOW, would setting up such a tunnel for this data be
redundant/unnecessary or am I missing something important here? Would anyone
care to comment on the relative safety of AD encryption out-of-the-box?
Thanks in advance for any feedback,
VS
[ reply ]