Thursday, September 20, 2007

What is the difference between Firewall server and Proxy server?

Reply 1)

Firewall server is primarily meant for protecting internal IT infrastructure from being attacked from the internet. These are generally standardized devices like Cisco PIX or software based solutions like Checkpoint and Microsoft ISA. Some of the devices can also function as enablers of internet sharing.

Proxy servers are meant for internet sharing and hiding the internal users information like (IP Address) from the internet. Some proxies also function as firewalls. But that is not what they are designed for. A company which has a good firewall may not require a proxy. However, if a company is just sharing an internet connection on a server may want to use proxies, so that internal users can access the internet through the same connection using the proxy. Windows 2000 onwards provides an inbuilt feature called “Internet Connection Sharing” which can have the same functionality. Typically cyber cafes and similar sized / type setups use proxies.

Reply 2)

Does NAT performs the same stuff similar to proxy server?

Reply 3)

Not really.

The objective of NAT is to enable 2-way communication with the internet of a machine which is not internet facing. For example, if you want to access your desktop computer from your home via broadband, how will you do it? Although you are connected to the internet from home and your office desktop is also connected to the internet through the default gateway. However, your office desktop computer has a private IP range (172.18.x.x) which is not recognized on the internet. So, there are 2 ways in which you could access your office desktop from home:

1) Connect your office desktop outside the router and let it get the public IP from the service provider. This will mean that only your office desktop will be able to access the internet and no one else will be able to access it (unless your office desktop is configured as a proxy server and everyone’s Internet Explorer is configured to use your office desktop as a proxy). With this arrangement, both your home computer and office computer have public IPs from the internet and hence you can connect as if you were on a LAN (not from the speed perspective).
2) The other option, is to let your office desktop continue using the intranet IP (172.18.x.x) and configure a NAT on the router / firewall. Basically, NAT will map an internet public IP to your office desktop’s internal IP. So let’s say, the public IP configured to NAT is 1.2.3.4 and your office desktop IP is 172.18.2.5. Now, you can connect to your office desktop from your home using the IP 1.2.3.4 (still not your internal IP 172.18.2.5). When this request hits the router / firewall, they will know that the IP requested (1.2.3.4) is meant from your office desktop (172.18.2.5) and it will route the packets accordingly.

Reply 4)

I would like to add something on the Proxy servers,
Proxy servers are used for internet sharing.
In other words , if we start looking at proxy servers from OSI model, these servers work in Application layer. When we talk about firewall, we are dealing with network layer and below.
That’s the main difference between Proxy servers and firewalls.
Proxy servers only deals with internet sharing, when we setup a proxy server we can have a excellent control on internet usage for internal users and that’s the reason why we see proxy servers in net cafes.
Proxy servers also cache internet contents and when any users requests same, it just picks from cache and shows to the user.
(this is another sign that Proxy servers work in Application layer)
Also in many environments we see that proxy is setup and Network admin configures group policies for Proxy servers ( under internet explorer settings.).

Thursday, September 6, 2007

How to generate events about users receiving warning messages about mailbox storage limits in Exchange 2003?

You can configure Exchange to automatically report to the Application event log the users who are exceeding mailbox store limits. To configure reporting of which mailboxes are being sent warning messages about their storage space, follow these steps:

1. Start Exchange System Manager.
2. Confirm that each mailbox store has a Warning Message Interval designated (on the Limits property page).
3. Under the Servers container, right-click the Exchange 2003 server you want to report on storage warnings, and then click Properties.
4. Click the Diagnostics Logging tab, open MSExchangeIS, and then click Mailbox.
5. Click Storage Limits, and then set the logging level to Maximum. Click OK.

Once this is completed, you will see the following event IDs in the Application log on the Exchange 2003 server you are monitoring:

◆ Event ID 1077 indicates which mailboxes exceed their storage warning limit.

◆ Event ID 1078 indicates which mailboxes exceed their prohibit send limit.

◆ Event ID 1218 indicates which mailboxes exceed their prohibit send and receive limit (mailbox disabled).

Wednesday, September 5, 2007

How to restrict only certain versions of Outlook to connect to Exchange server?

From Exchange 2000 Service Pack 1, a new feature was introduced which enabled the Administrator to allow only certain versions of Outlook to connect to the Exchange Server. This is typically handy in large organizations which have multiple versions of Outlook running. This feature is used to prevent users who are still running an older version of Outlook to connect to the Exchange server.

A general recommendation is not to allow Outlook clients older than Outlook 2000 Service Pack 3 from connecting to the Exchange server. The reason is the enhanced security feature called “Email Security Update” which was introduced in Service Pack 3 of Outlook 2000.

This feature is also handy to prevent your users from installing Beta versions of Outlook, as these may cause loss of productivity and increase in the number of helpdesk calls.

For implementing Outlook version, restriction, the MAPI version of Outlook is required. There is a MAPI version available from Outlook  Help  About. We are not talking about this version number. The version number needs to be obtained from the Exchange server. This is available under Logons in the Exchange System Manager, under the column Client Version. Below is the diagram which shows this:


The version number presented is in the form of w.x.y.z

The number required for restricting access to certain version of Outlook is w.y.z. The number in x is not required.

The most important value in this table is the value in the Value Required to Restrict Logon column. By default, Exchange allows all versions of MAPI clients to access the mailbox stores. However, you can restrict access to the mailbox and public folder stores to specific versions if you create a Registry value called
Disable MAPI Clients of type REG_SZ in the following Registry key:

HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

In this Registry value that you created, you will put in the values of clients that should be prevented from accessing the Information Stores. It is also permissible to put in a range of versions; entries must be separated by a comma. The Exchange components must always be allowed to access the store.

NOTE: The MAPI version 6 components must always be allowed to log on. They are the Exchange 2003 components such as the System Attendant or the Exchange System Manager.

Once this feature is in place, clients will get a “The attempt to log on to the Microsoft Exchange Server computer has failed” message if they try to access the Exchange server from a client whose MAPI version you are blocking. However, Outlook 2003 gives a little more intelligent and explanatory pop-up message:


Monday, September 3, 2007

What is SIP?

Session Initiation Protocol (SIP), a signaling protocol, is used for establishing a session in an IP network — from a simple two-way telephone call to a multi-media conference call session with many participants. The IP telephony industry has recently adopted SIP, an RFC standard (RFC 3261) from the Internet Engineering Task Force (IETF), as the protocol of choice for signaling because of its ability to facilitate Internet applications by working with other protocols. It is not the be-all and end-all of protocols — it was designed to be a facilitation mechanism, not an all-inclusive solution. Its flexibility is what makes it so powerful, and an all-inclusive approach does not offer this level of flexibility.

Essentially, SIP establishes, manipulates and tears down sessions, and its main purpose is to help session originators deliver invitations to potential session participants wherever they may be. It uses URLs to address participants and SDP to convey session information and it’s easy to combine SIP with other applications, like Web browsers and messaging. The bottom line is that it’s a modular approach to maximizing IP telephony protocols. SIP can find and invite call invitees wherever they are. It facilitates multi-media calls with many participants who may join and leave at will.

Sunday, September 2, 2007

How to customize system messages in Exchange Server?

This is typically used when there is a need to customize system messages. For example, if there is a mailbox storage limit, and the default message that goes to the mailbox owner when a warning threshold is reached, needs to be customized, there are no options available through a GUI. These messages (and other system messages) can be customized by modifying a DLL file where all the system message contents are stored. A word of caution before editing DLL files:

1) They will be overwritten each time a patch or service pack attempts to upgrade the file to a newer version
2) If Microsoft PSS is working on an issue on the server, the file will need to be replaced with the default file.
3) Any modifications to the system file like a DLL file can make the system unstable

All the system messages are stored in a file called MDBSZ.DLL. This file is located in the Exchsrvr\Bin directory.

Unlike most files, this file cannot be opened in Notepad and changes made to it. Instead, Microsoft has released a bunch of tools called as ‘Resource Localization Toolset’. This includes a tool called RLSQuikEd. This is a tool that will need to be used to open and edit the MDBSZ.dll file.

The Resource Localization Toolset can be downloaded from http://tinyurl.com/88ash

It also contains a self help document called RLTOOLS.DOC

Below is the screenshot of a system message being modified by RLSQuikEd