the password and the data can be encrypted, so this is not the issue. But to ensure communications, you have to open the RPC-Endpoint-Mapper and two or three additional high ports to the Exchange Server and it could be possible to DoS or hack the Exchange Server using these ports. For one of the high ports is used to connect to the Information Store even corrupting/deleting data could be accomplished. So the reason for using a VPN is to protect the Exchange server from a direct connection to the internet.
For you can often implement an IPSec or PPTP VPN without any additional licensing costs this should be done and I do not even see the need to have arguments on this.
Gruß,
Jens Mickerts
-----Ursprüngliche Nachricht-----
Von: Joseph Burton [mailto:joseph_burton1970 (at) hotmail (dot) com [email concealed]]
Gesendet: Samstag, 8. März 2003 17:08
An: focus-ms (at) securityfocus (dot) com [email concealed]
Betreff: Exchange/MAPI/RPC
Hello all,
I have a client that will soon start using Microsoft Exchange, and I have a
question regarding the Outlook client. The Exchange client in Outlook uses
the MAPI protocol which uses RPC to communicate with the Exchange server. I
know it's not recommended to connect from the Internet using MAPI, without
using any form av encryption like IPSec.
My question is simply, why? Why is it dangerous to use MAPI/RPC over
Internet? Is the password sent in clear text or something? I need some good
arguments to convince my client to use VPN for the roaming users.
Thanks in advance,
//Joe
_________________________________________________________________
Skaffa fler messengerkontakter - Vinn 10.000 i resecheckar!
http://messenger.msn.se/promo
the password and the data can be encrypted, so this is not the issue. But to ensure communications, you have to open the RPC-Endpoint-Mapper and two or three additional high ports to the Exchange Server and it could be possible to DoS or hack the Exchange Server using these ports. For one of the high ports is used to connect to the Information Store even corrupting/deleting data could be accomplished. So the reason for using a VPN is to protect the Exchange server from a direct connection to the internet.
For you can often implement an IPSec or PPTP VPN without any additional licensing costs this should be done and I do not even see the need to have arguments on this.
Gruß,
Jens Mickerts
-----Ursprüngliche Nachricht-----
Von: Joseph Burton [mailto:joseph_burton1970 (at) hotmail (dot) com [email concealed]]
Gesendet: Samstag, 8. März 2003 17:08
An: focus-ms (at) securityfocus (dot) com [email concealed]
Betreff: Exchange/MAPI/RPC
Hello all,
I have a client that will soon start using Microsoft Exchange, and I have a
question regarding the Outlook client. The Exchange client in Outlook uses
the MAPI protocol which uses RPC to communicate with the Exchange server. I
know it's not recommended to connect from the Internet using MAPI, without
using any form av encryption like IPSec.
My question is simply, why? Why is it dangerous to use MAPI/RPC over
Internet? Is the password sent in clear text or something? I need some good
arguments to convince my client to use VPN for the roaming users.
Thanks in advance,
//Joe
_________________________________________________________________
Skaffa fler messengerkontakter - Vinn 10.000 i resecheckar!
http://messenger.msn.se/promo
[ reply ]