Sichere Exchange Veröffentlichung mit ISA Server 2004
Die Assistenten innerhalb des Internet Security and Acceleration Server 2004 ermöglichen es relativ einfach Exchange Dienste zu veröffentlichen. Doch der ISA Server 2004 ist wesentlich leistungsfähiger. Er kann auf Applikationsebene Filtern, d.h. wirklich nur die benötigte Kommunikation zulassen. Mit Hilfe des HTTP Filter lassen sich damit also die entsprechenden Methoden aussperren. Doch welche sind das denn im einzelnen? Mit Hilfe von Netmon lässt sich das mehr oder weniger leicht feststellen. Es geht allerdings auch einfacher. Das gestern erschienene Whitepaper "Application Layer Firewall protection for Exchange Server 2003 with ISA Server 2004" dokumentiert dies ausführlich.
| Setting and rule | Outlook Web Access | Outlook Mobile Access | Exchange ActiveSync | RPC over HTTP |
| General tab | ||||
Maximum headers length |
32768 |
32768 |
32768 |
32768 |
Maximum payload length |
10485760 |
10485760 |
65536 |
Any |
Maximum URL length |
16384 |
319 |
1024 |
16384 |
Maximum query length |
4096 |
13 |
512 |
4096 |
Verify normalization |
Yes |
Yes |
Yes |
Yes |
Block high bit characters |
No |
Yes |
Yes |
Yes |
Block responses containing Windows executable content |
Yes (Note 1) |
Yes |
Yes |
Yes |
| Methods tab | ||||
Allow only specified methods |
BCOPYBDELETEBMOVEBPROPPATCHDELETEGETMKCOLMOVEPOLLPOSTPROPFINDPROPPATCHSEARCHSUBSCRIBE |
GETHEADPOST |
OPTIONSPOST |
RPC_IN_DATARPC_OUT_DATA |
| Extensions tab | ||||
Action taken for file extensions |
Block specified extensions (allow all others) |
Allow only specified extensions |
Allow only specified extensions |
Allow only specified extensions |
Extension list |
.asax.ascs.bat.cmd.com.config.cs.csproj.dat.dll (Note 2).exe (Note 1).htr.htw.ida.idc.idq.ini.licx.log.pdb.pol.printer.resources.resx.shtm.shtml.stm.vb.vbproj.vsdisco.webinfo.xsd.xsx |
. (dot).aspx |
. (dot) |
.dll |
Block requests containing ambiguous extensions |
No |
Yes |
Yes |
Yes |
| Headers Tab | ||||
Blocked headers |
None |
None |
None |
None |
| Signatures Tab | ||||
Blocked signatures:Request URL |
./\.. (Note 3)% (Note 3)& (Note 3) |
./\..%&: |
./\..%: |
./\..%& |
Note 1
Blocking .exe file extensions and enabling Block responses containing Windows executable content for Outlook Web Access will block access to the S/MIME control. If the S/MIME control is required for Outlook Web Access on Exchange Server 2003, do not include .exe in the blocked extensions list or enable Block responses containing Windows executable content.Note 2
Blocking .dll file extensions for Outlook Web Access will block access to the online spelling checker that is built into Outlook Web Access.Note 3
Including the strings "..", "%", and "&" can prevent certain types of potential attacks but it will also reduce access to certain e-mail messages. An e-mail message subject line forms part of the URL to access the message and thus any e-mail message containing one of these characters will be blocked. A balance must be found between extra security and functionality. Do not include the ":" character in this list because this will block access to the majority of e-mail messages. Many message subject lines contains RE: and FW: if they are replies or forwards.
Oder einfach die entsprechenden Regeln herunterladen und die SSL Listener sowie die Servernamen entsprechend anpassen. Kai Wilke (ISA Server 2004 MVP) hat diese freundlicherweise zur Verfügung gestellt. Danke Kai!
cu
//.<