Dutch

Dutch

MASS BV on LinkedIn

LinkedIn

Frequently Asked Questions (FAQ)

Can de connector be installed on a different server, or does this need to be installed on the exchange server?

The connector should be installed on the LAN, where it can access the Exchange frontend server (OWA on port 443 or port 80) and AD on port 636 (LDAPS) or alternatively port 389 (unsecure LDAP)

If it needs to be installed on the exchange server, how does it work when you have more than 1 exchange server?

Since the connector is using HTTPS protocol to connect to Exchange frontends, one DME Connector can connect to several Frontend servers. However the traffic between OWA and the DME COnnector can be heavy, whereas the traffic between the DME COnnector and the DME Gateway is optimized (compressed, etc)

What is the reason that the DME_Server account needs “full Mailbox” rights?

The “Full mailbox” right is needed since DME is reading some hidden fields in the mailbox data. Only users with Full access rights can read those fields. However DME can be configured so that the background scanning of mailboxes is done using the end-user own credentials, meaning that each user scans his/her own mailbox. This requires the AD password to be saved encrypted on the DME Database.

What is the exact function of the connector and what does it do.

The DME Connector is the component that is retrieving email and PIM data on behalf of the user. The DME security architecture is a three-tier architecture,, the DME Gateway is validating the device itself, not the user, and if allowed, the user's credentials are passed to the DME Connector. The DME Connector has several functions:

  • With the DME Client on the device, where the user enters his username and password
  • The DME Gateway is validating the device itself, not the user
  • and if allowed, the user's credentials are passed to the DME Connector.

De DME Connector heeft verschillende functies:

  • User authentication
  • Email scanning (for push notifications)
  • Retrieval of data from OWA

In our security model, it means that only internal components (the Connector) are connected to your backend systems (AD and Exchange frontend), whereas the DME Gateway handles external connections (devices). The DME Connector is also the one initiating the connection to the DME Gateway, making sure that traffic is also outbound from internal systems.

we need an exchange front-end server? (test or production)

DME is using OWA for Exchange 2003 and for Exchange 2007, a server with Client Access Role (CAS)

How (what methode, technique) does the connector connect with exchange?

Https or http.

There are allot of ports that need to be opened according to the documents, are these all really needed?

yes, all ports from the connector to the DME Gateway are needed. DME is using Jboss messaging to insure delivery of data between the Connector and Gateway. Many of those ports are using for control and others for data exchange.

What kind of traffic do we need to allow for those ports?

The traffic is Jboss messaging, and can be SSL encrypted if needed. However for performance reason, traffic analysis between DME Gateway and DME Connector is not recommended.

What ports do we need to open if we install it in production?

All ports from the connector to the DME Gateway are needed. DME is using Jboss messaging to insure delivery of data between the Connector and Gateway. Many of those ports are using for control and others for data exchange.

In the document it’s been said that ports to the AD and exchange need to be opened, Why and where does the connection come from that needs these ports?

See anwer about the connector from Exchange ports. The AD ports: either 636 or 389 and optionally 3268 must be open in order to authenticate users using LDAP(S). The port 3268 is recommended in large organisations for faster response when doing a Global Address Book lookup.

The SQL server, that needs to be in the DMZ (in that case production) can’t this be installed on the DME Server that also is going to be in the DMZ?

Depending on the configuration you choose (for ex if user passwords must be saved encrypted in the db) and in most cases, the SQL servers are not exposed on the DMZ. SQL Server can be placed on LAN as well. For production environment with more than 100 users, the MS SQL server and DME Server must be placed on separate servers, as MS SQL would potentially allocate all the RAM, leaving not enough resources for the DME Gateway.

How is the authentication of the users being done?

Using LDAPS or LDAP.