Exchange

Status
Not open for further replies.

PR.

Fledgling Freddie
Joined
Dec 22, 2003
Messages
124
Hi, I am hoping to do my MCSE in the next few months and wanted to setup a Windows2003 and exchange 2003 server to 'practice' on.

I've got an old dual P3 1ghz machine I can put it all on, but I have some questions...

  1. I use ntl broadband so I have a dynamic IP address will this cause a problem with email?
  2. I want to have access to it from the internet but don't really want to use VPN as that limits my access from machines that don't allow the user to create a VPN?
  3. I use a NAT router to get internet access, but with the Exchange server responding to internet requests how can I make sure its not/reduce the chance of it being attacked by hackers etc?
  4. Is there any kind of antivirus system can be used on exchange server, like Norton?
  5. Does Windows 2003 provide DNS resolution that would help me avoid ntl's piss poor DNS servers
  6. Is the ActiveSync for Exchange part of exchange or an addon?
  7. Does the 2003 version of exchange offer spam filtering?
  8. I own the domain keating.me.uk do I have to have my server on the domain Keating.me.uk to allow it to recieve the mail or can it be anything?

Thanks for your help :)
 

Zephirus

Fledgling Freddie
Joined
Dec 23, 2003
Messages
23
1. Not necessarily, but I wouldn't advise using exchange for your email on a personal connection. lots of hassle, lots of insecurity, minor gains.

2. You'll be able to access it from the internet. It's adviseable that you don't though, or you use the exchange web interface as exchange protocol is heavy (bandwidth intensive) and insecure (microsoft)

3. Don't run it open to the internet. Use the exchange web gateway. opening an exchange server to the internet is like walking down the street with your eyes closed and your wallet taped open on your back.

4. There are loads of virus solutions for exchange. trend, norton, mcaffee etc all make them.

5. Yes, but it's not going to be huge amounts better. NT's DNS is a bit of a pain to set up iirc. Resolution will be slower as your nameserver will have less names cached.

6. If you mean activesync as in the synchronisation software for pocketpc's then it comes on the pocketpc cd's or downloads from the ms website. It syncs with exchange through outlook, which is the mail client for exchange.

7. Not as far as I am aware.

8. You will have to point the MX records (mail exchange) from your domain to the ip address of your server. As you're on cable you'll probably want to get a dyndns service setup so you could point mx records to that, and update that when your cable ip changes. You'll also need to open port 25 to the exchange machine and tell it to accept mail for your domain name. Which is reasonably simple if i remember correctly.


By the way, last time I checked exchange wasn't on the core MCSE course at all. It certainly wasn't when I did mine a year or two ago. You'd be better practicing creating domains and messing with group policy and security. A complicated group policy system can cause severe headf*ck if you're confused about it.
 

Xavier

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,542
The real answers

PR. said:
I use ntl broadband so I have a dynamic IP address will this cause a problem with email?
as long as you redirect the SMTP port at your router into your server mail will still route in. Unfortunately you can't set an MX record to the server if your IP is dynamic but you can use a dynamic DNS address such as those provided by dyndns.org and manage a subdomain for email that way
  1. I want to have access to it from the internet but don't really want to use VPN as that limits my access from machines that don't allow the user to create a VPN?
  1. you can use remote desktop to administer it. Don't open the RPC ports whatever you do - if you want to reach email externally then just use Outlook Web Access through Internet Explorer (NOT Mozilla or Firebird, etc) or Outlook over HTTP/HTTPS.
    [*]I use a NAT router to get internet access, but with the Exchange server responding to internet requests how can I make sure its not/reduce the chance of it being attacked by hackers etc?
    only open the SMTP and Terminal Services ports and you'll be fine
    [*]Is there any kind of antivirus system can be used on exchange server, like Norton?
    yes, but it's very expensive, don't even consider warezing it as it calls home and WILL fubar your machine.
    [*]Does Windows 2003 provide DNS resolution that would help me avoid ntl's piss poor DNS servers
    no, but you can specifiy a DNS server outside of NTL for your server to query instead of theirs. Rememebr that their DNS server may be set as default by DHCP, but it's not the only choice.
    [*]Is the ActiveSync for Exchange part of exchange or an addon?
    It's a standard component (*chuckles at activesync desktop component comment made above*)
    [*]Does the 2003 version of exchange offer spam filtering?
    Exchange 2003 can handle an Open Relay Filter, you can set it up to talk to one of the many open relay lists to block inbound spam from known open (spam) relays. It doesn't have any spam filter itself though you can also block known spam domains in the MMC. Outlook 2003 has a nice spam filter however which integrates and works alongside Exchange.
    [*]I own the domain keating.me.uk do I have to have my server on the domain Keating.me.uk to allow it to recieve the mail or can it be anything?
    no, but as already mentioned above you won't be able to route mail to the server from a primary domain anyhow.
Thanks for your help :)
No Problem :)

Incidentally, we run Exchange 2003/ Windows Server 2003 for TechNation, so it's up to you whose answers you believe between myself and Zephirus :)

Oh, and if those copies of Server and Exchange aren't legit, don't even attempt any of the above, you can't even use an MSDN license for the kind of things you're proposing.
 

Xavier

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,542
Zephirus said:
1. Not necessarily, but I wouldn't advise using exchange for your email on a personal connection. lots of hassle, lots of insecurity, minor gains.
as long as you only open SMTP and maybe web/TS ports you run no more of a risk than running any other apps on a broadband connection
2. You'll be able to access it from the internet. It's adviseable that you don't though, or you use the exchange web interface as exchange protocol is heavy (bandwidth intensive) and insecure (microsoft)
Have you even seen Exchange 2003? I'd prefer it if you didn't advise people on software you weren't familiar with. Exchange 2003 offers RPC over HTTP and HTTPS which is no more dodgy than any other HTTP call.
3. Don't run it open to the internet. Use the exchange web gateway. opening an exchange server to the internet is like walking down the street with your eyes closed and your wallet taped open on your back.
whaaa?
4. There are loads of virus solutions for exchange. trend, norton, mcaffee etc all make them.
Woohoo, correct. Not that you'll need them if you stick to Outlook Web Access and Exchange Activesync.
5. Yes, but it's not going to be huge amounts better. NT's DNS is a bit of a pain to set up iirc. Resolution will be slower as your nameserver will have less names cached.
But the minor delay compared to NTL's flakiness is an easy equation.
6. If you mean activesync as in the synchronisation software for pocketpc's then it comes on the pocketpc cd's or downloads from the ms website. It syncs with exchange through outlook, which is the mail client for exchange.
No, he doesn't - Exchange Activesync is a server sync app for PocketPC's and Exchange Servers. It's been around for approximately 4 years in numerous guises.
7. Not as far as I am aware.
Yes, It does. On it's own it will block open relays to cut spam by configuring the open relay filter, and with Outlook 2003 it will tag or move email it believes to be junk.
8. You will have to point the MX records (mail exchange) from your domain to the ip address of your server. As you're on cable you'll probably want to get a dyndns service setup so you could point mx records to that, and update that when your cable ip changes. You'll also need to open port 25 to the exchange machine and tell it to accept mail for your domain name. Which is reasonably simple if i remember correctly.
You can't point an MX record to a dynamic host for a primary domain.
By the way, last time I checked exchange wasn't on the core MCSE course at all. It certainly wasn't when I did mine a year or two ago. You'd be better practicing creating domains and messing with group policy and security. A complicated group policy system can cause severe headf*ck if you're confused about it.
It's an elective for the MCSE, just like IIS and MSSQL and has been since i did my Windows 2000 MCSE a little over three years ago.
 

Xavier

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,542
Incidentally PR, if that P3 has less than 512Mb RAM I wouldn't bother, Exchange 2003 + Windows Server 2003 will eat half a gig in the blink of an eye. Our server has a 3.066Ghz Hyperthreading P4 and 1Gb DDR and it STILL drags to a crawl sometimes with load.

Xav
 

PR.

Fledgling Freddie
Joined
Dec 22, 2003
Messages
124
Xavier said:
Incidentally PR, if that P3 has less than 512Mb RAM I wouldn't bother, Exchange 2003 + Windows Server 2003 will eat half a gig in the blink of an eye. Our server has a 3.066Ghz Hyperthreading P4 and 1Gb DDR and it STILL drags to a crawl sometimes with load.

Xav

Thanks for the info, gonna be using the 180 day trial so shouldn't have any problems there. Just wanted to set it up so I could have a play around, I use exchange at work but its not the kind of thing you can mess about with when 70 members of staff are sitting on it. :)

As for speed issues I'm not too worried, it will probably only have maybe 2 users in total! Our Exchange 2000 server at work sits on the same server as Print and File server with only 512mb RAM and a 500mhz P3 CPU it trundles along at a reasonable pace, hell we even have a trial of SQL server running on a P2-233 with 64mb RAM while we look into buying the full package :D

Again thanks for your help...

One last question, is there an ActiveSync component or equivalent for Exchange 2000?

Thanks :)
 

Quige

Fledgling Freddie
Joined
Dec 22, 2003
Messages
118
Xavier said:
You can't point an MX record to a dynamic host for a primary domain.

I don't understand this part of what you're saying.

I own the domain yggdrasil.org.uk, which I've registered with http://www.dyndns.org/
A client on the server updates the dns records with my current ISP allocated IP.

DynDNS allow me to specify an mx record that points to the current IP of my router, which is configured to port forward smtp to the server on the internal LAN.

Perhaps I am misunderstanding what you mean by a primary domain.

We're still using Exchange 5.5 :(
But when we do upgrade I'm looking forward to the integration into Active Directory. Setting up new accounts will be so much easier.
... I hope. And I've read that the new web client seems to implement a lot more of what the 'real' client has - I keep having ideas of just giving everyone web access only and not installing the full client on the desktop at all.

Though I guess you'd need a pretty powerful server to serve the webpages to a lot of users, in the thousands or so. Anyone have any experience of that?
 

Xavier

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,542
You've registered the domain through dyndns.org or with them?

Xav
 

inactionman

Can't get enough of FH
Joined
Dec 23, 2003
Messages
1,864
Xavier said:
You can't point an MX record to a dynamic host for a primary domain

It's an MX record, you can point it at any IP address you like! Pointing a MX record at a computer that may not be there, i.e. the computer being down, or your IP address changing and the DNS cache not being correct, is questionable though!

To play about with mail servers is all well & good, but I would not recommend attaching a mail server to the internet unless you *really* know what you are doing, too much chance of it being hijacked to send spam, particularly with microsoft's security history! You may find out that NTL blocks inbound SMTP (I don't know), in my opinion all residential services should!

I've had to shut down a number of Client's mail servers when they haven't been setup correctly and they are open relays, even when we provided a qmail relay, I love Nessus! Thankfully we tended to find them before the RBL's did!

It's not too difficult to setup an internal 'internet' email setup, not connected to the internet, and you may want to do it in your case, it will be a lot less of a headache!
 

Xavier

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,542
inactionman said:
It's an MX record, you can point it at any IP address you like! Pointing a MX record at a computer that may not be there, i.e. the computer being down, or your IP address changing and the DNS cache not being correct, is questionable though!

To play about with mail servers is all well & good, but I would not recommend attaching a mail server to the internet unless you *really* know what you are doing, too much chance of it being hijacked to send spam, particularly with microsoft's security history! You may find out that NTL blocks inbound SMTP (I don't know), in my opinion all residential services should!

I've had to shut down a number of Client's mail servers when they haven't been setup correctly and they are open relays, even when we provided a qmail relay, I love Nessus! Thankfully we tended to find them before the RBL's did!

It's not too difficult to setup an internal 'internet' email setup, not connected to the internet, and you may want to do it in your case, it will be a lot less of a headache!
:twak:

and another, for good measure

:twak:

A MX record has to be pointed at an IP address, not a DNS address, oui? You can give that IP a DNS name but that doesn't stop the fact that the MX has to be on a fixed IP, not a dynamic one. The only exception is when you have a relay and then you can point a subdomain to a dynamic host, which is how those dyndns.org addresses work, and why their service is there in the first place.

Xav
 

inactionman

Can't get enough of FH
Joined
Dec 23, 2003
Messages
1,864
Xavier said:
:twak:

and another, for good measure

:twak:

A MX record has to be pointed at an IP address, not a DNS address, oui? You can give that IP a DNS name but that doesn't stop the fact that the MX has to be on a fixed IP, not a dynamic one. The only exception is when you have a relay and then you can point a subdomain to a dynamic host, which is how those dyndns.org addresses work, and why their service is there in the first place.

Xav

Damn, you're right! I must be getting really rusty on DNS, damn policy & procedure jobs! Time to start brushing up on my technical books, instead of the books on risk analysis!

BTW, you can't point a MX record to an IP address or a CNAME, it must be pointed at an A record (which obviously then points at an IP address), at least according to RFC 1035, which has probably been obsoleted by another RFC that i've forgotten!
 

Xavier

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,542
inactionman said:
Damn, you're right! I must be getting really rusty on DNS, damn policy & procedure jobs! Time to start brushing up on my technical books, instead of the books on risk analysis!
Heh, s'ok - I just don't want PR to end up confoosled, Zephirus and Quige seem to be attepmpting a pretty good job of that as it is ;)

Xav
 

Zephirus

Fledgling Freddie
Joined
Dec 23, 2003
Messages
23
Felt the need to respond a little bit...

as long as you only open SMTP and maybe web/TS ports you run no more of a risk than running any other apps on a broadband connection

TBH, I personally consider opening terminal services to the net a security risk. But aside from that I was not talking about the web/http ports rather the RPC and LDAP Ports that exchange clients use to talk to the server. Unless things have changed (I don't have huge experience configuring exchange 2003, but I have plenty with 5.5 and 2000), those are needed to properly access an exchange server via outlook clients (ignoring imap and pop3 as they don't give full functionality to exchange clients).

Have you even seen Exchange 2003? I'd prefer it if you didn't advise people on software you weren't familiar with. Exchange 2003 offers RPC over HTTP and
HTTPS which is no more dodgy than any other HTTP call.

Fair enough, never knew that it could do that.

Referring to opening RPC and LDAP ports to the internet. Bad things.

Woohoo, correct. Not that you'll need them if you stick to Outlook Web Access and Exchange Activesync.

Uh-hu. Maybe. It's good practice to do so on server side anyway though.

But the minor delay compared to NTL's flakiness is an easy equation

Fair enough. I have a BIND caching nameserver for my own purposes. All depends on how flaky your service is, i guess (or how much time you fancy spending on hold on ntl's support line).

No, he doesn't - Exchange Activesync is a server sync app for PocketPC's and Exchange Servers. It's been around for approximately 4 years in numerous guises.

You need mobile information server, server side to activesync with exchange 2000 - it doesn't allow it out of the box It won't work at all on 5.5. Also it only works on pocketpc 2002+ devices, that excludes ce1,2,and pocketpc 2000 devices. Outlook sync will work on all those devices.

Yes, It does. On it's own it will block open relays to cut spam by configuring the open relay filter, and with Outlook 2003 it will tag or move email it believes to be junk.

All sane mail clients do at least some kind of spam filter. outlook 2000 could too, however it's best that the spam doesn't even get to your mailbox.. RBL's aren't the ideal solution to spam, but I guess they're better. Actually I believe some of the av solutions for exchange incorporate better spam filtering capabilities. Another incentive to install one.

You can't point an MX record to a dynamic host for a primary domain

My Mistake. Apologies.

It's an elective for the MCSE, just like IIS and MSSQL and has been since i did my Windows 2000 MCSE a little over three years ago.

Like I said, not on the CORE course. it's an elective.
 

Xavier

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,542
Ugh, more... *takes breath*

Exchange 2003 doesn't need anything but ports 80 and 25 open to function, both for inbound mail and syncronising external clients, as I said in my first post.

Terminal Services is as strong as any other interface which uses an NT login, you can't brute force it as the account will be locked out after 5 fails, and with the strong password requirements of Windows2003 there's more chance of some script kiddie using an IIS explot to execute remote commands than ever compromising a TS session.

Like I said, not on the CORE course. it's an elective.
Ugh, you honestly did an MCSE? Ok, let me explain this in simple terms.

The MCSE consists of six papers entitled 'core' exams, consisting of four compulsory and two selected papers and one ELECTIVE - of which choices such as Exchange 2000/2003, SQL Server 2000, SMS and ISA servers are options. This was the same back when I did my MCSE and is shown on all the paperwork and online media you'll encounter when studying an examining regardless of the method by which you complete the qualification.

An elective is not an optional extra to the MCSE, at least one is COMPULSORY - it gets its name because it gives you a choice of how you want to specialise the MCSE, be it database, mail servers, security etc - which you would know, if you genuinely have studied and completed said course. So please don't try and split hairs, especially when you're so woefully wrong.

*yawn...*

quite finished? good

*clicks padlock*
 
Status
Not open for further replies.

Users who are viewing this thread

Top Bottom