Difference between revisions of "Firewall Configuration for Single Server Mode"

Jump to: navigation, search
[unchecked revision][checked revision]
(Firewall Rules For Single Server Mode)
 
(18 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
__NOTOC__
 
__NOTOC__
It is highly recommended to protect any MailStore Service Provider Edition service with appropriate firewall rules. This document should help with setting up the required rules.
+
It is highly recommended to protect any MailStore Service Provider Edition service with appropriate firewall rules. This document should help with setting up the required rules. The firewall rules for running the SPE in Multi Server Mode can be found in [[Firewall Configuration for Multi Server Mode|this document]].
  
 
'''Important Notices:'''  
 
'''Important Notices:'''  
 
* The communication channels described below MUST NOT be intercepted by any kind of email or web proxies that are provided as part of antivirus software or unified threat management gateways.  
 
* The communication channels described below MUST NOT be intercepted by any kind of email or web proxies that are provided as part of antivirus software or unified threat management gateways.  
 
* The Windows Advanced Firewall is activated on any Windows Server installation by default. In order to connect to services (e.g. MailStore Management Console) of the MailStore Service Provider Edition, it is required that the appropriate firewall rules are added (see below).
 
* The Windows Advanced Firewall is activated on any Windows Server installation by default. In order to connect to services (e.g. MailStore Management Console) of the MailStore Service Provider Edition, it is required that the appropriate firewall rules are added (see below).
 
= Firewall Rules For Single Server Mode =
 
  
 
The table below lists all TCP ports that need to be opened in the firewall when using MailStore Service Provider Edition in single server mode. The following abbreviations are used in the source and target columns of that table:
 
The table below lists all TCP ports that need to be opened in the firewall when using MailStore Service Provider Edition in single server mode. The following abbreviations are used in the source and target columns of that table:
Line 13: Line 11:
 
* ADM = Computer or network used for administration
 
* ADM = Computer or network used for administration
 
* SERVER = Server that hosts MailStore Service Provider Edition
 
* SERVER = Server that hosts MailStore Service Provider Edition
 
A list of all TCP ports used by MailStore Service Provider Edition is available in the [[System Requirements#Required Ports|System Requirements]]
 
  
 
{| class="wikitable sortable"
 
{| class="wikitable sortable"
Line 50: Line 46:
 
| align="center" | SERVER
 
| align="center" | SERVER
 
| align="center" | my.mailstore.com
 
| align="center" | my.mailstore.com
| Usage reporting and license update
+
| Usage reporting and license update.<br/><span class="mswarning">'''Important:''' DNS hostname MUST be used in firewall rules due to periodically changing IP addresses of my.mailstore.com.</span>
 
|-
 
|-
 
| align="center" | 443
 
| align="center" | 443
 
| align="center" | ANY
 
| align="center" | ANY
 
| align="center" | SERVER
 
| align="center" | SERVER
| HTTPS access to instances used by MailStore Client, MailStore Outlook Add-in, MailStore Web Access and MailStore Mobile Web Access.
+
| HTTPS access to instances used by E-mail Archive Client, Outlook Add-in, and Web Access.
 
|-
 
|-
 
| align="center" | 636
 
| align="center" | 636
 
| align="center" | SERVER
 
| align="center" | SERVER
 
| align="center" | ANY
 
| align="center" | ANY
| Access to LDAP servers (including Microsoft Active Directory) using a TLS encrypted connection.
+
| Access to LDAP servers (including Microsoft Active Directory) using a SSL encrypted connection.
 
|-
 
|-
 
| align="center" | 993
 
| align="center" | 993
Line 81: Line 77:
 
| align="center" | SERVER
 
| align="center" | SERVER
 
| Web-based access to the MailStore Management Console.
 
| Web-based access to the MailStore Management Console.
 +
|-
 +
| align="center" | 8474
 +
| align="center" | ADM
 +
| align="center" | SERVER
 +
| Access to the MailStore Management API.
 
|}
 
|}
  
== Windows Advanced Firewall ==
+
=== Windows Advanced Firewall ===
 
 
 
The Windows Advanced Firewall can easily be re-configured for Single Server Mode. By executing the following commands in the Windows PowerShell command prompt, the required TCP ports are opened for inbound connections. Outbound connections to any destination are allowed by default.  
 
The Windows Advanced Firewall can easily be re-configured for Single Server Mode. By executing the following commands in the Windows PowerShell command prompt, the required TCP ports are opened for inbound connections. Outbound connections to any destination are allowed by default.  
  
Line 95: Line 95:
 
netsh advfirewall firewall add rule name="MailStore Service Provider Edition (MGMT)" `
 
netsh advfirewall firewall add rule name="MailStore Service Provider Edition (MGMT)" `
 
   action=ALLOW dir=IN protocol=TCP localport="8470" remoteip="192.0.2.0/24" profile=ANY
 
   action=ALLOW dir=IN protocol=TCP localport="8470" remoteip="192.0.2.0/24" profile=ANY
 +
 +
# Allow access to MailStore Management API from adminstrator network 192.0.2.0/24
 +
netsh advfirewall firewall add rule name="MailStore Service Provider Edition (MGMT)" `
 +
  action=ALLOW dir=IN protocol=TCP localport="8474" remoteip="192.0.2.0/24" profile=ANY
 
</source>
 
</source>
 
= Firewall Rules For Multi Server Mode =
 
 
The below table lists all TCP ports that need to be opened in the firewall when using MailStore Service Provider Edition in multi server mode. The following abbreviations are used in the source and target columns:
 
 
* ANY = Any computer from private or public networks
 
* ADM = Computer or network used for administration
 
* CAS = Server hosting Client Access Server role
 
* IH = Server hosting Instance Host role
 
* MGMT = Server hosting Management Server role
 
 
A list of all TCP ports used by MailStore Service Provider Edition is available in [[System Requirements#Required Ports|System Requirements]]
 
 
{| class="wikitable sortable"
 
! width="80px" | Port
 
! width="80px" | Source
 
! width="80px" | Target
 
! class="unsortable" | Description
 
|-
 
| align="center" | 110
 
| align="center" | IH
 
| align="center" | ANY
 
| Access to email servers for archiving via POP3 (Unencrypted/STARTTLS).
 
|-
 
| align="center" | 143
 
| align="center" | IH
 
| align="center" | ANY
 
| Access to email servers for archiving via IMAP (Unencrypted/STARTTLS).
 
|-
 
| align="center" | 143
 
| align="center" | ANY
 
| align="center" | CAS
 
| IMAP access to archives secured by TLS (STARTTLS) encryption.
 
|-
 
| align="center" | 389
 
| align="center" | IH
 
| align="center" | ANY
 
| Access to LDAP servers (including Microsoft Active Directory) using an unencrypted or STARTTLS-encrypted session.
 
|-
 
| align="center" | 443
 
| align="center" | IH
 
| align="center" | ANY
 
| Access to Microsoft Exchange Server for archiving via Exchange Web Services (EWS) secured by SSL encryption.
 
|-
 
| align="center" | 443
 
| align="center" | ANY
 
| align="center" | CAS
 
| HTTPS access to instances used by MailStore Client, MailStore Outlook Add-in,  MailStore Web Access and MailStore Mobile Web Access.
 
|-
 
| align="center" | 443
 
| align="center" | MGMT
 
| align="center" | my.mailstore.com
 
| Usage reporting and license update
 
|-
 
| align="center" | 636
 
| align="center" | IH
 
| align="center" | ANY
 
| Access to LDAP servers (including Microsoft Active Directory) using a TLS encrypted connection.
 
|-
 
| align="center" | 993
 
| align="center" | ANY
 
| align="center" | CAS
 
| IMAP access to archives secured by TLS (SSL) encryption.
 
|-
 
| align="center" | 993
 
| align="center" | IH
 
| align="center" | ANY
 
| Access to email servers for archiving via IMAP (SSL).
 
|-
 
| align="center" | 995
 
| align="center" | IH
 
| align="center" | ANY
 
| Access to email servers for archiving via POP3 (SSL).
 
|-
 
| align="center" | 8470
 
| align="center" | ADM
 
| align="center" | MGMT
 
| Web-based access to the MailStore Management Console.
 
|-
 
| align="center" | 8470
 
| align="center" | IH, CAS
 
| align="center" | MGMT
 
| Optional: Required for initial pairing with Management Server. If not available,  manual registration of Instance Hosts and Client Access Servers in Management Server is required.
 
|-
 
| align="center" | 8471
 
| align="center" | CAS, IH
 
| align="center" | MGMT
 
| Internal communication with Management Server
 
|-
 
| align="center" | 8472
 
| align="center" | MGMT, CAS
 
| align="center" | IH
 
| Internal communication with Instance Hosts
 
|-
 
| align="center" | 8473
 
| align="center" | MGMT
 
| align="center" | CAS
 
| Internal communication with Client Access Servers
 
|}
 
 
= What to do next =
 
 
In environments where the single server mode is sufficient, the setup procedure continues with configuration of MailStore Service Provider Edition as described in [[Single Server Mode Setup]].
 
 
In environments where a multi server mode setup is planned, deploy and install MailStore Service Provider Edition as described above on all other machines before continuing the setup process with the configuration of the Management Server role as described in [[Multi Server Mode Setup]].
 

Latest revision as of 15:40, 25 August 2020

It is highly recommended to protect any MailStore Service Provider Edition service with appropriate firewall rules. This document should help with setting up the required rules. The firewall rules for running the SPE in Multi Server Mode can be found in this document.

Important Notices:

  • The communication channels described below MUST NOT be intercepted by any kind of email or web proxies that are provided as part of antivirus software or unified threat management gateways.
  • The Windows Advanced Firewall is activated on any Windows Server installation by default. In order to connect to services (e.g. MailStore Management Console) of the MailStore Service Provider Edition, it is required that the appropriate firewall rules are added (see below).

The table below lists all TCP ports that need to be opened in the firewall when using MailStore Service Provider Edition in single server mode. The following abbreviations are used in the source and target columns of that table:

  • ANY = Any computer from private or public networks
  • ADM = Computer or network used for administration
  • SERVER = Server that hosts MailStore Service Provider Edition
Port Source Target Description
110 SERVER ANY Access to email servers for archiving via POP3 (Unencrypted/STARTTLS).
143 SERVER ANY Access to email servers for archiving via IMAP (Unencrypted/STARTTLS).
143 ANY SERVER IMAP access to archives secured by TLS (STARTTLS) encryption.
389 SERVER ANY Access to LDAP servers (including Microsoft Active Directory) using an unencrypted or STARTTLS-encrypted session.
443 SERVER ANY Access to Microsoft Exchange servers for archiving via Exchange Web Services (EWS) secured by SSL encryption.
443 SERVER my.mailstore.com Usage reporting and license update.
Important: DNS hostname MUST be used in firewall rules due to periodically changing IP addresses of my.mailstore.com.
443 ANY SERVER HTTPS access to instances used by E-mail Archive Client, Outlook Add-in, and Web Access.
636 SERVER ANY Access to LDAP servers (including Microsoft Active Directory) using a SSL encrypted connection.
993 SERVER ANY Access to email servers for archiving via IMAP (SSL).
993 ANY SERVER IMAP access to archives secured by TLS (SSL) encryption.
995 SERVER ANY Access to email servers for archiving via POP3 (SSL).
8470 ADM SERVER Web-based access to the MailStore Management Console.
8474 ADM SERVER Access to the MailStore Management API.

Windows Advanced Firewall

The Windows Advanced Firewall can easily be re-configured for Single Server Mode. By executing the following commands in the Windows PowerShell command prompt, the required TCP ports are opened for inbound connections. Outbound connections to any destination are allowed by default.

# Allow access to CAS ports from everwhere
netsh advfirewall firewall add rule name="MailStore Service Provider Edition (CAS)" `
  action=ALLOW dir=IN protocol=TCP localport="143,443,993" profile=ANY

# Allow access to MailStore Service Provider Management Console from adminstrator network 192.0.2.0/24
netsh advfirewall firewall add rule name="MailStore Service Provider Edition (MGMT)" `
  action=ALLOW dir=IN protocol=TCP localport="8470" remoteip="192.0.2.0/24" profile=ANY

# Allow access to MailStore Management API from adminstrator network 192.0.2.0/24
netsh advfirewall firewall add rule name="MailStore Service Provider Edition (MGMT)" `
  action=ALLOW dir=IN protocol=TCP localport="8474" remoteip="192.0.2.0/24" profile=ANY