I am a bit more than paranoid when it comes to protecting my Exchange and Lync servers from all of those evil people out on the Internet. I like my servers to be protected from all of those annoying script kiddies along with those that are much better at hacking than the typical script kiddie.
No OWA for me. After all, if OWA is published, it can be attacked with lots of improper connection attempts. If Outlook Anywhere, also known as RPC over HTTPs, is available, the servers can be attacked. It is bad enough that the Exchange environment has to listen for port 25 connections. Lots of nasty viruses are transmitted over port 25.
If I could, I would wrap my servers in sterile plastic and rubber. Safe computing is vital, or you could catch something very bad and spread it around.
Anyway, the point of this post is that I had the need to access the Microsoft Federation Gateway (MFG) to share free/busy information with another company. Imagine me getting that bad feeling of having to expose my servers to that dirty, filthy, bad Internet.
My first take was that I was going to have to work with all of the firewall guys and have them open up the ports to the MFG. I have to say this really scared me as it required:
- Opening everything needed for OWA access from the Internet
- Limiting the access to just the servers for the MFG.
Option 1 is much scarier than Option 2. Option 2, though is scary enough. Per Microsoft’s documentation, you need to open the following from all of the Client Access servers in the environment to the MFG IP ranges and URLs:
207.46.150.128/25
207.46.164.0/24
*.microsoftonline-p.com
*.live.com
*.microsoftonline.com
*.microsoftonlinesupport.net
In case you didn’t notice the *.live.com entry, let me point it out. I about spit up lunch when I saw it. Opening Exchange up to everything at live.com was enough to make me choke and spit and make me ill over all.
OK, that all said, I was on a call with a MFG specialist and he said, “Damn, Russ, you are paranoid. Why don’t you just use a Proxy server in your company to make the connections and then you won’t have to screw around with the firewall rules needed.” Hmmm, proxy server? I like that much more, and it seemed like a much better solution. So, I asked the question, “OK, I know how to set the browser and other applications to use the proxy server, but that requires inputting the settings in the interface, but I am not aware of any method for inputting the settings so that the Client Access server can leverage the proxy server.”
Aha, the key! I learned something new in that I was unaware that it was possible. A simple PowerShell command, and all was well.
get-exchangeserver | where {$_.serverrole -ilike ‘*clientaccess*’} | Set-ExchangeServer -InternetWebProxy http://ProxyServerName:Port#
I am sorry it took me so long to get to the point, but I just had to share the pain and anguish that I experienced and then share the easy solution.