howto://connect clients to exchange-part one

by Ed Fisher on 2010-07-26

in Infrastructure

Before you go there, I am not talking about connecting Outlook to Exchange on the LAN. I’m talking about those other situations, like the graphics guy using Mac Mail, or the security guy using Thunderbird on Linux,  or someone with a Windows Mobile device, or even you with your iPhone.

In this two part series, we are going to first cover how to securely enable POP3 and IMAP for those clients that can’t (or won’t) use Outlook, and in the second half of this series, howto://connect clients to exchange-part two, we will cover how to use ActiveSync for Windows Mobile, Droid, and iPod Touch/iPhone/iPads, and also how to support remote Outlook connections without a VPN using Outlook Anywhere. If you need to support POP3 and/or IMAP, read on for how to get it done.

Exchange 2010 does support POP3 and IMAP out of the box. It also supports the secure versions using TLS and either a self-signed certificate or one that you get from your trusted CA. However, none of this is turned on by default. If you try to connect a client at this point, you will get nothing but fails and RST ACKS. To enable these services, do this.

Enabling IMAP and POP3 services

  1. Open a cmd prompt, and run netstat –an | more [enter] If you check listening ports on your CAS server, you will see that he is not listening on POP3, POPS, IMAP, or IMAPS. Of course it is listening on SMTP and SMTPS, which you will need for these clients to send mail.
    netstat -an | more...no 110, 143, 993, or 995.
  2. To enable these services, launch services.msc. Find the Microsoft Exchange IMAP4 and Microsoft Exchange POP3 services. There are only the two…IMAP4 handles cleartext and secure IMAP, and POP3 handles cleartext and secure POP3.
    image
  3. Configure the IMAP4 service to start automatically.
    image
  4. Then, start it.
    image
  5. Repeat the same process for the POP3 service.
  6. Now check again with netstat and you will see that you have listeners for 110-POP3, 143-IMAP, 993-IMAPS, and 995-POPS.
    image
  7. Do your happy dance.
    An actual video (low-res) of me doing my happy dance.

Restricting access to IMAP and POP3 services

Strictly speaking, you are done on the server side. Any clients on the internal network should be able to connect. All users will be permitted to connect using POP3 or IMAP4 (and their secure counterparts) by default. If you want to restrict this, you can edit the individual mailboxes and disable specific protocols, like this.
image

Note that disabling IMAP in this way hits both IMAP4 and Secure IMAP. You don’t do this to disable cleartext…you handle that as shown below.

Securing IMAP and POP3 services with TLS

As you should be aware, IMAP and POP3 are both cleartext protocols. All data, including authentication, is transmitted in the clear. It would be a shame to implement a strong password policy, aggressive lockout settings, and auditing in AD only to have the first guy with Wireshark start grabbing everyone’s domain credentials as they connect to Exchange using cleartext protocols. To prevent that, you want to set both to require TLS.

  1. Launch the Exchange Management Console.
  2. Browse down to Server Configuration, Client Access.
  3. Click on the POP3 and IMAP4 tab.
    image
  4. Right-click on IMAP4, choose properties, and then go to the Authentication tab.
    image
  5. Select Secure logon, and if necessary, enter the friendly name of the appropriate certificate.
  6. Do the same for the POP3 service.
    image
  7. Restart both services using services.msc. You must do this for the settings to take effect.

With that, you are done. Internal clients are now able to connect securely to the POP3 and IMAP services, using their domain credentials. MAPI connections from Outlook are still the way to go whenever you have the option, but this should let you support a wider range of client without compromising security. Of course this requires that these clients be on the LAN, or connected by VPN. What if you want to permit connections from outside of your network without requiring VPN?

Connecting from the Internet using TMG

You might consider requiring a VPN connection before allowing access to POP3 and IMAP. This would reduce the number of open ports on the Internet, at the cost of requiring additional efforts on the client. Since ActiveSync clients will use only https to connect, the number of folks this will impact may not be significant.

Please also keep in mind that if you do publish these through the TMG, you are basically doing port forwarding. TMG cannot do SSL proxying for IMAP/POP3/SMTP, so your external clients (and the bad guys) will all be passing traffic directly to your CAS server. If that is acceptable, here is how to do it.

  1. Log on to your TMG server and launch the TMG Management Console.
  2. Browse down to Firewall Policy, right-click it, and click New, Mail Server Publishing Rule…
    Invoke the New Mail Server Publishing Rule wizard.
  3. Give it a name, and click next.
  4. Since this is for our clients, leave the option for Client access: and click Next.
    image
  5. Since we only want to support the secure services that use SSL/TLS, we’re only going to select those options here. You may need to enable others for your situation. Then click Next.
    image
  6. Enter the internal ip.addr of your CAS server, then click Next.
  7. Select the external ip.addr you wish to use, and click Next.
  8. Click Finish, click Apply, and then enter your documentation.

That’s it. Now you just get the fun of setting up your clients. I don’t plan to cover any of that here except for getting iPhone/iPod Touch/iPad devices working with ActiveSync. That will be covered in an upcoming post, howto://connect your iphone to exchange with activesync. And don’t forget to check back for part two of this post, howto://connect your iphone to exchange with activesync, where we will cover ActiveSync and Outlook Anywhere. Until then, I can hardly throw an animated gif of Snoopy dancing into this post without taking it one step further. This should bring back some childhood memories.

Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=rNremK0cBEg

If you found this post useful, please consider following us on twitter. You’ll be the first to learn about new posts, and, rarely, you’ll get to share a comedic or witty tweet. Of course, you can also leave a comment below (anonymous allowed) to let us know we hooked you up.

You might also enjoy:

  1. howto://connect clients to exchange-part two
  2. howto://connect your iphone to exchange with activesync
  3. howto://install Exchange 2010 on a single box-part two
  4. howto://install Exchange 2010 on a single box-part one

Tagged as: email, howto, isa & tmg

{ 4 comments… read them below or add one }

shehryar 2012-02-23 at 17:28

Hi Retrohack,

I have a TMG EE server on my LAN, I do not want to install TMG Client on my client computers rather use the web-proxy configuration in IE8 and IE9, but :

We have a Mail server in a data-centre, which we all connect to send and receive email via OUTLOOK.

Is this possible to use outlook 2007 and 2010 with POP / IMAP and SMTP (No SSL / TLS) without installing TMG client ?

Will be grateful

Reply

Ed Fisher 2012-02-24 at 10:10

Yes, but don’t be that guy. Not using the TMG client is fine…I don’t use it either. I try to avoid anything that requires me to install additional software on clients.
Accessing email using unencrypted protocols is bad. ALWAYS use the SSL or TLS versions to protect data, but more importantly, to protect user credentials!

Reply

Shehryar 2012-02-24 at 22:03

Hi Ed,

Thank you for your prompt response – One thing I have to ask and will be grateful for a step by step (a quick summary here in the comments would do) is the following :

My Email Box is in a remote data centre (it is not exchange server),it supports only pop, imap and smtp and no SSL, we will upgrade to a new one later this year (hopefully).

I tried uninstalling the tmg client on my 7 and xp machine as a test and tried to use outlook 2007, 2010, thunderbird, none of which connected – however I was able to browse the internet when I had tmg defined as a webproxy.

I even tried to publish a rule allowing smtp, pop, imap to and from my email server but none of which worked.

Will be most grateful if you could provide a step by step so that I can set that up and get rid of TMG Client ?

——————————-
Also, If we had Exchange either remote or on-premise – would TMG client be mandatory then ?

Thanks so much !!
Shehryar

Reply

Ed Fisher 2012-02-26 at 20:58

Do your clients use the TMG as their default gateway? If they do, then you just need to create an outbound permit rule, and then ensure that any other firewall also permits the outbound traffic. If the TMG is not the default gateway, the easiest solution may be for you to use the TMG client. From what you are describing, it sounds like the TMG is not the default gateway. When you configure your browser to use the TMG as a proxy, web traffic is directed to the TMG. Email client traffic is not unless you use the TMG client. However, depending upon which email client you use, you may be able to configure it to use the TMG as a socks proxy. I think Thunderbird can use a proxy, but I don’t have it installed and don’t have time to do that for you.
HTH
Ed

Reply

Leave a Comment

Previous post:

Next post: