CHAPTER 11
INTERNET-BASED CLIENT ACCESS
The Internet holds a huge potential for today’s economy. It creates hundreds of billions in
revenue per annum and millions of jobs. There is no question that the Internet allows
organizations of any size to build closer relationships with customers and business partners.
Lesson 1: Support for
Internet Protocols
From the moment you install Exchange 2000 Server, your messaging environment relies on
Internet protocols. SMTP for instance, is the native e-mail transport protocol for Exchange
2000 Server. Other protocols such as POP3, IMAP4, NNTP and HTTP, provide users
with a variety of options for accessing their mailboxes and public folders.
SMTP is an industry standard for the Internet, which rules the transfer of e-mail messages
between two messaging hosts. An extension of SMTP is SMTP Services Extensions (ESMTP).
ESMTP overcomes several critical limitations of the Internet mail transport. For instance,
it allows users to request delivery status notifications on their outgoing messages, and it
provides the ability to specify a message size limit for incoming ESMTP connections.
Both SMTP and ESMTP require a connection-based transport mechanism; in practice
this is the TCP/IP protocol.
Sending Messages Using SMTP
To send a message, an SMTP/ESMTP process first connects to TCP port 25 of the
remote host. The remote SMTP system, such as a server running Exchange 2000
Server, then answers the incoming request.
SMTP defines the commands and responses at the application layer, which must be used
between SMTP systems to transfer messages. These commands are used to begin the message
sending which responses acknowledge the reception. The most important elements of every
SMTP exchange are the welcome message, which the server returns to the client, the HELO
(or EHLO for ESMTP) command to start the session, the MAIL FROM command to indicate
an originator address, RCPT TO to specify mail recipients, and DATA to initiate the transfer
of the message.
=======================================================================
winexc11.html
PAGE 2 2002/06/12
The QUIT command ends the current session and initiates the termination of the connection.
SMTP Service Extensions
ESMTP provides a framework for two types of SMTP extensions: registered and unregistered
extensions. A good example of a registered extension is the DSN command, which notifies the
receiving system that a delivery status notification should be returned to the sending host.
NOTE: Every ESMTP session begins with the EHLO command, in contrast to HELO, which
initiates an ordinary SMTP session.
Name Resolution
To establish a connection, the SMTP service must determine the remote host’s IP address.
Windows 2000 supports several name resolution mechanisms, including the HOSTS file, DNS,
Windows Internet Name Service (WINS, and the LMHOSTS file and Active Directory
directory service.
DNS Name Resolution
DNS will most likely be used to accomplish name resolution when communicating with hosts
directly on the Internet. To retrieve the IP address of an SMTP hosts, the SMTP service
uses a component of the TCP/IP protocol stack, known as the Resolver, to contact the local
DNS server.
Mail Exchanger Records
DNS mail exchanger (MX) records point to computers that are able to handle SMTP
connections. It is common to have multiple SMTP servers within an organization, so more
than one MX record may exist per Internet domain. It is possible to identify more
important and less important hosts by assigning priorities to MX records. Multiple mail
exchangers can provide load balancing and fault tolerance for incoming messaging connections.
=======================================================================
winexc11.html PAGE
3
2002/06/12
Exercise Summary:
The TXP/IP utility NSLookup allows you to check DNS records, which is especially useful if
you are experiencing SMTP connection problems on Internet links.
One or more MX hosts should be returned per domain. If a domain does not contain mail
exchangers, the SMTP service will not be able to resolve the domain name through the DNS.
Post Office Protocol, Version 3
POP3 is a messaging protocol that defines commands to download messages from a host.
In other words, it is a read-only protocol allowing you to download messages from your
server-based Inbox only. Access to other server-based messages folders is not possible.
Examples of POP3 clients are Outlook Express, Eudora, and Netscape Navigator Mail.
The POP3 features are described in RFC 1939.
IMPORTANT To send messages, POP3 users rely on SMTP. Consequently, you need
to provide your users with an SMTP server in addition to a POP3 host for complete
messaging functionality. SMTP and POP3 hosts can be the same or different servers.
Commands and Responses
POP3 commands are not case sensitive. They consist of a keyword followed by
arguments, if necessary.
POP3 Session States
A POP3 session progresses through three states, called Authorization, Transaction, and
Update.
Authorization. Is reached when a server’s welcome message is received after the client
has opened a connection to TCP port 110. In this state, the user account information
can be send to the server.
State. Now the user can read, download, or delete e-mail messages as desired. The
session is released by sending the QUIT command to the server.
=======================================================================
winexc11.html
PAGE 4 2002/06/12
Update. At this point, the session enters the Update state, in which the POP3 server
sends a goodbye message to the client and releases the TCP/IP connection.
Exercise Summary:
POP3 is a simple protocol that you can test manually when using the Telnet utility.
Because Telnet has no way to use the integrated Windows 2000 Authentication mechanism, you
need to supply a user name and password and rely on the Basic Authentication (clear text).
Internet Mail Access Protocol
Version 4
IMAP4 is a modern Internet protocol that allows you to access all kinds of server-based messaging
folders. In other words, using an IMAP4-compliant client, you are not restricted to Inbox access
only, as you would be using POP3.
IMAP4 Session States
IMAP4 defines four subsequent session states, which are the Non-Authenticated, Authenticated,
Selected, and Logout states.
Authenticated. As soon as the client logs on using the LOGIN command, the session enters
the Authenticated state. The important task a client has to accomplish now is selecting a folder
from the mailbox.
Selected. The client will use the SELECT command for this purpose, in this way entering the
Selected state. In this state most of the IMAP4 command
are available. STORE and
FETCH are good example of such
commands.
the connection enters the Logout state. The connection is being terminated, and the server will
close the
connection, sending its goodbye notification.
Commands and Responses
IMAP4 commands are case-insensitive strings of printable ASCII characters, which consist
of a tag followed by a keyword and its arguments, if necessary.
An identifier, known as a tag, prefixes each client command. Those tags are necessary because
multiple commands may be in progress simultaneously. Data transmitted by the host and status
notifications that are not associated with a client command must be prefixed with a token “*”.
These constructs are called untagged responses.
=======================================================================
winexc11.html PAGE 5
2002/06/12
Exercise Summary:
IMAP4 is more powerful than POP3 because it allows you to work with all kinds of messaging
folders, including public folders.
Network News Transfer Protocol
USENET is a communication network based on NNTP, which relies on distributed discussion
forums known as newsgroups. A vast number of newsgroups exist, but it is not always easy
to find the desired information.
Newsgroups
Newsgroups can be compared to regular public folders in Exchange 2000 Server. They
represent the context of discussions, as do public folders.
Newsreaders
A newsreader application is a client program that can be used to read newsgroup articles.
In more technical terms, a newsreader is able to communicate via NNTP. Public folders
can be accessed because Exchange 2000 Server supports newsreaders via the extended
NNTP service of Windows 2000.
Multiple instances of one particular newsgroups reside typically on multiple servers. Let’s
say you want to receive new changes from a remote server. Accordingly, you will connect
to the remote server’s port 119 first. You can then check the remote server for new
articles and request those that you haven’t yet received.
=======================================================================
winexc11.html
PAGE 6
2002/06/12
NOTE: In general, two forms of NNTP data transfer exist. They are the pull and the
push transfer.
The terms push and pull may also be used to specify which host initiates the communications
Pull Feed. The local host initiates the connection to the remote server and pulls the information.
Push Feed. The remote server (such as a provider’s host) initiates the connection and pushes
he information into the local host.
Usage of NNTP differs slightly between pull and push feeds. Whereas pull feeds need a command
set for querying remote servers about available articles, push feeds need a command set for
newsgroup creation and article posting.
NNTP Communication
NNTP works similar to SMTP, POP3, and IMAP4. Newsreader applications open a connection
to TCP port 119 to establish a session. The NNTP server sends its welcome message back to the
client, such as 200 NNTP Service 5.00.0984 Version 5.0.2195.1608 Posting Allowed.
Exercise Summary:
You can user Telnet to log on to a NNTP newsgroup host. You must provide valid authentication
information using the AUTHINFO USER command. The host will return a positive response,
382 Waiting For Password, which indicates that it is now time to enter the password through
the
NOTE: The HELP command is useful if you want to explore the set of supported NNTP
commands in Telnet.
HTTP is the data vehicle of the World Wide Web. Its first version (new referred to as HTTP/0.9)
was a simple protocol to transfer data, such as Web pages, across the Internet. In 1996, a
revision known as HTTP/1.0 significantly improved and standardized the protocol, which was
again superseded by HTTP/1.1 in 1997. The current version of HTTP is defined in RFC 2616.
=======================================================================
winexc11.html
PAGE 7 2002/06/12
URIs and URLs and URNs
To tell the Web server which document to return, the browser has to provide a Uniform
Resource Identifier (URI), most commonly known as a Web address, shortcut, or URL.
A URL is actually a specific type of URI that identifies a resource through its location on the
network, for instance, http://www.microsoft.com/exchange/default.htm/ The other possible
type of URI is a Uniform Resource Name (URN), which identifies a resource through its
globally unique distinguished name.
HTTP Extensions for Distributed Authoring
The Distributed Authoring and Versioning Protocol usually referred to as WebDAV is an
extension of HTTP/1.1. Unlike HTTP, which is primarily used to request Web pages
from a server, WebDAV specifies methods, headers, and content types for the management
of resource properties directly on the server, as well as the creation of resource collections,
the manipulation of namespaces, and the locking of resources to avoid collisions due to
concurrent access from multiple clients.
IIS 5.0 fully supports WebDAV if Exchange 2000 Server is installed, meaning you can
publish a WebDAV directly on your Web server and let your users easily collaborate on
documents over the Internet.
Microsoft Exchange 2000 Web
Storage System
File system access to Exchange resources is supported by means of the Web Storage
System and a component called Exchange Installable File System (ExIFS). Don’t get
confused: ExIFS relies on the Web Storage System, but they are not the same. The
Web Storage System is also involved when accessing Exchange resources via WebDAV,
but ExIFS is not.
Every item within the Web Storage System is accessible via the WebDAV protocol.
The Web Storage System associates items accessible through URLs with Web forms,
which are comparable to Outlook forms, although they are entirely HTML-based and
provide more extensibility capabilities.
=======================================================================
winexc11.html
PAGE 8
2002/06/12
Exercise Summary:
By default, every user can access Exchange 2000 Server resources in the context of their
access permissions via HTTP and WebDAV. WebDAV relies on the security features
offered by Windows 2000, IIS 5.0 and Exchange 2000 Server.
NOTE: HTTP and WebDAV are Internet Standards supported on all client platforms.
Macintosh or UNIX client computers can rely on WebDAV to share information with
Windows users directly.
Lightweight Directory Access Protocol
LDAP is a derivation of X.500 Directory Access Protocol. It was originally developed
at the
hierarchical directory based on object attributes.
LDAP Features
As designed for the Internet, LDAP uses the TCP/IP transport mechanism for client-
server communication. The server “listens” for incoming requests on TCP port 389
by default.
Available Versions
Three LDAP versions currently exist, although the third version has not yet been specified
completely. In Exchange 2000 Server organizations, LDAP is available through Active
Directory and Global Catalog servers.
LDAP and Windows 2000 Active
Directory Directory Services
If you plan to use Internet mail clients, such as Outlook Express, to participate in an
Exchange 2000 Server organization, required address information is available via LDAP
and Active Directory.
The Global Catalog holds the recipient information for the entire forest. It is therefore
advisable to configure an LDAP connection to a Global Catalog server to be able to
search the full set of address information from your organization. When configuring
your LDAP client, make sure to connect to TCP port 3268 instead of the default port
389 to reach the Global Catalog.
=======================================================================
winexc11.html
PAGE 9
2002/06/12
The following ports allow you to connect to Active
Directory via LDAP:
NOTE: When accessing TCP port 389, only the objects within the home domain of the
Active Directory domain controller are searchable. A query to port 3268 gives you the
ability to search address information in the entire forest, although only the properties tagged
for replication to the Global Catalog will be returned.
Exchange 2000 Server facilitates the introduction into messaging and collaboration
across the Internet.
Especially when connecting to the Internet, it is a advisable to restrict access to only those
services that are absolutely necessary for authorized users. To give an example, if you
plan only to provide access to Exchange resources via HTTP, stop the Microsoft Exchange
POP3, Microsoft Exchange IMAP4, and NNTP services in the Services management tool.
Then, set their startup type to either manual or disabled.
IIS supports the concept of virtual servers. Through virtual servers, you can enable a single
server to appear as several servers. This is particularly interesting for Internet services
providers (ISPs) that are hosting numerous independent Web sites for their customers on
a small number of servers.
Default Virtual Servers
The Exchange System Manager utility allows you to create additional protocol virtual
servers on your Exchange 2000 computer by means of a few mouse clicks. Each Internet
protocol is represented as a different container and within each, corresponding virtual
protocol servers are grouped together. By default, only one virtual server exists per
protocol.
=======================================================================
winexc11.html
PAGE 10
2002/06/12
NOTE: With the exception of the default HTTP virtual server, named Exchange Virtual
Server, you should manage all IP settings from within the Exchange System manager utility.
When you right-click on a protocol container (HTTP, IMAP4, NNTP, POP3, or SMTP)
and point to New, you can select the <Protocol Type> Virtual Server command, which
allows you to add virtual protocol servers to the configuration. You need to define a
name for the new virtual server and assign it an IP address. In Windows 2000
Server you can assign a single network card multiple IP addresses or install multiple
network adapters and configure each with a separate IP address.
IP Address and Port Number
During the creation of additional protocol servers, a dialog box might appear informing you
that the new virtual server will not start because IP address and port numbers are already
in use. It is important to assign each virtual server either a separate IP address or customized
TCP port numbers for nonencrypted and SSL-encrypted communication, or both.
=====================================================================
Protocol TCP port SSL Port
=====================================================================
HTTP 80 433
IMAP4 143 993
NNTP 119 563
POP3 110 995
SMTP 25 Uses Transport Layer Security TLS
Instead of SSL
=====================================================================
To adjust the settings of a virtual server, open the corresponding protocol container
(such as IMAP4), right-click on the desired virtual server (such as Default IMAP4
Virtual Server), and from the shortcut menu, select Properties.
=======================================================================
winexc11.html PAGE
11
2002/06/12
Metabase and Active Directory Directory
Services
When you configure Internet protocols within the Exchange System Manager utility,
you manage settings in Active Directory. It is the task of the metabase update service
to transfer the changes into the metabase. Because the metabase update may take a
few minutes, changes may not take effect immediately.
The Access tab provides access to the Authentication button and gives you the ability
to enable or disable client authentication methods, such as Anonymous Access, Basic
Authentication, and Integrated Windows Authentication.
The settings differ slightly between the protocols because some may not apply to a
specific protocol type. POP3 and IMAP, for instance, don’t support Anonymous
Access because this form of access is inappropriate when working with mailbox
resources.
Anonymous Access
Exchange 2000 Server support Anonymous Access to public folders based on HTTP
and NNTP. First, you need to enable Anonymous Access for the corresponding
protocol or HTTP virtual directory within the Exchange System Manager. Secondly,
you need to specify an anonymous account at the same location. By default, this is the
Internet Guest account called IUSR_<SERVERNAME>. Third, within the Exchange
System Manager or Outlook 2000, you need to define anonymous access permissions
for particular public folders.
NOTE: The Internet guest account used to validate anonymous NNTP and HTTP
users does not correspond to the Anonymous account displayed in the Client Permissions
Dialog box. Because it is a valid Windows 2000 account, default permissions apply.
To assign anonymous permissions directly, you need to mail-enable
IUSR_<SERVERNAME>; otherwise, you are unable to select this account from the
Global Address List.
Basic Authentication. If Basic Authentication is enabled (the default), clients are
not forced to encrypt the user name or password. Instead, they can directly transmit
this information to the server in encoded (and easily decodable) text. To put it plainly,
if an intruder can watch the communication between a client and the server, this person
can get access to users’ account information. For basic Authentication, it is usually
sufficient to supply your user name and password. Your user name will be assumed
to be the same as the mailbox alias.
=======================================================================
winexc11.html
PAGE 12
2002/06/12
Digest Authentication. Digest authentication may be an important authentication
mechanism if you want to support Instant Messaging users that connect to their home
server via an HTTP proxy.
NOTE: To verify whether Digest authentication is enabled, launch the Internet
Information Services utility. Open the Web site container where the InsMsg virtual d
irectory is located, right-click InstMsg. Select Properties, click on the Directory
Security tab, and then under Anonymous Access and Authentication control, click
the Edit button. In the Authentication Methods dialog box, make sure Digest
Authentication For Windows Domain Server is Selected.
Integrated Windows Authentication.
Formerly known as Microsoft Windows NT Challenge/Authentication, is more complex
and secure than the Basic Authentication or the Digest Authentication method because it
uses the Windows network security mechanism.
Both the client and the server must have a connection to a key distribution center (KDC).
The KDC is an integrated part of the security services of Windows 2000 domain controllers.
Kerberos uses Active Directory to retrieve security account information.
Setting Security Options
Integrated Windows Authentication works well in environments where users are working
with clients that support this authentication method (Internet Explorer and related programs
only) and where the network supports the Challenge/Response and Kerberos protocol.
NOTE: Integrated Windows Authentication is best suited for environments where both
clients and server are members of the same domain and you can ensure that every user is
using Microsoft Internet clients and browsers.
Basic Authentication over
Encrypted Communication Channels
If you cannot rely on Integrated Windows Authentication, you need to enable the Basic
Authentication mechanism to allow your users to log on to the server. To secure the
communication channel, you need to enable and enforce available security features based
on SSL.
Secure Sockets Layer
SSL relies on public key cryptography .In the OSI reference model, SSL resides between
the transport layer and the application layer where the Internet access protocols are located.
To encrypt the client data at the SSL, client and server need to agree on the level of security
they will use during the session. This information is automatically exchanged in the form of an
X.509 certificate during the security handshake, which is carried out as part of the initialization
of the TCP/IP connection.
Installing A Security Certificate on the Server
To provide IMAP4-based access to mailbox resources in encrypted form over the Internet,
you need to install a security certificate on the server via the Access tab of your IMAP4 virtual server.
*******
SEE PAGE 368-369 FOR THE PROCESS******
If you have a certification authority already, then the required security certificate is installed after
the previous process. You may now enforce the encryption of the client/server communication
by clicking the Communication button in the Access tab and selecting the Require Secure
Channel check box. If your environment support strong 128-bit encryption, you may enable
the Require 128-bit Encryption check box as well. This 128-bit session cannot be exported
outside the
Authentication Through Client Certificate Mapping
When you configure the authentication methods for an HTTP virtual server (via the corresponding
Web site’s Directory Security property sheet in the Internet Service Manager or an NNTP
virtual server (via the Access tab Authentication button), you will notice that you can enable
client certificate mappings to Windows user accounts.
Exchange 2000 Server utilized event sinks to combine the NNTP functionality Windows
2000 with public folder resources.
=======================================================================
winexc11.html
PAGE 14
2002/06/12
Newsgroup Hierarchies
The implementation of newsgroups based on public folders provides several advantages.
The good news is that you don’t need to roll out or support newsreader software on your
individual client computers.
Making Internet Newsgroups Available to NNTP Clients
The public folder called Internet Newsgroups is the default location for inbound newsgroups
replicated to a server running Exchange 2000 Server.
If you want to create additional discussion forums, you need to manually create the associated
public folders under a newsgroup hierarchy also known as virtual directory.
Exchange System Manager will automatically create a new public folder structure according to
your newsgroup hierarchy under a virtual directory, which defaults to Internet Newsgroups.
Creating Newsgroups Hierarchies
If you want to host your newsgroups in several public folder structures other than Internet
Newsgroups, you need to create additional newsgroup hierarchies. Under your NNTP
virtual server, right-click Virtual Directories, point to New and then select Virtual Directory.
Changing Newsgroup Properties
When you right-click a newsgroup folder in Outlook 2000 that was created by means of
the Exchange System Manager, let’s say under Internet Newsgroups. And you select
Properties, you will notice that you cannot manage the newsgroup’s properties because
of missing client permissions.
In some cases, however, it is desirable to adjust the settings of a particular newsgroups
such as client permissions, without configuring additional protocol virtual servers.
=======================================================================
winexc11.html PAGE 15
2002/06/12
A moderated public folder or moderated newsgroup folder allows a user to forward posted
messages to a moderator. The moderator reviews the posted information and allows
accepted articles to appear in the newsgroup folder.
You need to have the owner permission for a newsgroup’s public folder to configure the
moderator settings in Outlook 2000.
If you want an NNTP virtual server to forward posted articles to a moderator, you need to
specify an SMTP server on the NTP virtual server’s Settings property sheet first.
Newsgroup Expiration Policies
When you examine the nodes underneath an NNTP virtual server, you will notice a container
called Expiration Policies. As the name suggests, you can use it to configure policies that
determine how long articles are stored in newsgroups.
Concurrent Sessions
Every NNTP virtual server provides you with status information regarding current client
sessions in the Current Sessions container. All existing sessions are listed as individual
objects.
Creating Newsfeeds
The remaining node under each NNTP virtual server is called Feeds and, as its name implies,
it serves to create and maintain newsfeeds. To create a new newsfeed, right-click on it,
point to New, and select Feed. On the first New NNTP Feed wizard screen, enter the
remote host’s name or IP address, and then click Next.
Newsfeed Configuration Tasks
You can accomplish newsfeed configuration tasks through the property sheets that every
newsfeed object provides. For instance, you might be required to enable Basic
Authentication to access the remote host.
=======================================================================
winexc11.html
PAGE 16
2002/06/12
Controlling Inbound Newsgroups
When you click on the General tab, you can find the Enable Feed check box, which allows
you to temporarily disable a particular newsfeed. This may be especially useful if you
discover that the newsfeed replicates too many articles to your server. Disable the
newsfeed, add more hardware, or move other Exchange 2000 resources to another
server, compact the affected databases, and then enable the feed again.
Exercise Summary:
Exchange 2000 Server and Outlook Express support all the important Internet client
protocols.
You can access your Inbox via POP3, all message folders including public folders via
IMAP4, and public folders configured as newsgroups via NNTP.
The sending of messages is accomplished through SMTP, and directory access is
carried out over LDAP
Chapter Summary:
users will instantly be able to communicate with users from other Internet organizations,
provided that MX records exist in DNS for your Internet domain.
managed in the Internet Services Manager to remain compatible with existing non-
any application, including Microsoft Office and other Win32 programs.