RE: Exchange/MAPI/RPC

Assuming your client is about to implement Exchange 2000, there is one important thing that has not been mentioned yet. Outlook was designed to be used on a private network. In particular, Outlook 2000 and XP query global catalog servers for Global Address List lookups and distribution list name resolution. Do a packet capture of Outlook traffic and you will see a split between traffic going to the Exchange server and traffic going to a GC. If an Outlook client is sitting on the Internet, it won't work properly unless it can contact a GC. One option is to but a domain controller/global catalog server on the Internet...but that is tantamount to rolling out the red carpet. A more reasonable option is to publish Exchange RPC with ISA Server and implement the registry modification from MS KB article 302914 that instructs the Exchange server to query the global catalog on behalf of Outlook clients. Using a VPN is definitely the cleanest and most secure option, just not the easiest for users. It all boils down to what your client values more, ease of use or security.

Adrian   

-----Original Message-----
From: Joseph Burton [mailto:joseph_burton1970@hotmail.com] Sent: Saturday, March 08, 2003 10:08 AM
To: focus-ms@securityfocus.com
Subject: Exchange/MAPI/RPC

Hello all,

I have a client that will soon start using Microsoft Exchange, and I have a
question regarding the Outlook client. The Exchange client in Outlook uses
the MAPI protocol which uses RPC to communicate with the Exchange server. I
know it's not recommended to connect from the Internet using MAPI, without
using any form av encryption like IPSec.

My question is simply, why? Why is it dangerous to use MAPI/RPC over Internet? Is the password sent in clear text or something? I need some good
arguments to convince my client to use VPN for the roaming users.

Thanks in advance,

//Joe

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek