Microsoft 1 Maintaining Firewall Availability, Ensuring That Only the Correct Traffic Passes Through the Firewall

Microsoft Exchange 2000 Operations Guide — Version 1.074

operating. In a multi-firewall environment, the firewalls are generally manufactured by a

number of different vendors, which can make management issues even more complex.

The responsibilities of the operations department in these circumstances will include the

following:

◆Ensuring that the firewalls continue to operate properly, implementing authorized

changes, and ensuring that there no unintended effects of authorized changes

◆Ensuring that firewalls only admit the traffic they are supposed to

◆Monitoring to detect hacker intrusion

◆Managing security breaches

Maintaining Firewall Availability

Unless your firewall(s) are up and running properly you will be unable to exchange e-mail

messages with the outside world. You should therefore place high importance on maintain-

ing the availability of your firewalls. Monitor your firewall availability just as you would

monitor the servers running Exchange and ensure that in the event of a failure, notifica-

tions are sent to the appropriate parties.

Typically when an Exchange Server computer sends messages via Simple Mail Transfer

Protocol (SMTP), it actually drops the e-mail message at the firewall, which in turn

forwards it to an external SMTP server. This means that, as far as Exchange is concerned,

the message is delivered the moment it is sent to the firewall. So, if the firewall fails,

Exchange does not detect this as a problem and reroutes messages accordingly. If a firewall

is down for any period of time, you must manually alter the configuration of your environ-

ment to make sure that messages route to other firewalls (this typically involves altering

the configuration of the SMTP Gateway on the affected route). Make sure that you plan

for firewall failure through training, exercises, and drills so you can recover your environ-

ment quickly.

Ensuring That Only the Correct Traffic Passes Through the Firewall

Your firewall is only secure if it remains configured as it should be over time. A typical

configuration of Exchange is to use front-end servers and have them sitting on a screened

subnet with one firewall in front and one behind them, protecting the back-end servers.

For example, envisage a situation where you use a front-end server for Outlook Web

Access, which you perform over a Secure Sockets Layer (SSL) connection. Table 5.1 shows

which ports need to be let through each firewall. (This scenario does not deal with outgo-

ing SMTP mail):

Table 5.1 Port-to-Firewall Configuration Example

Source Destination Service Protocol and port

Internet/External Screened Subnet HTTPS TCP 443

Screened Subnet Internal/Private Networ k DNS TCP, UDP 53