Securing MPS to Back-end System Communications

  • Article

The MPF Engine servers will communicate with various back-end systems through MPF Providers. Hosted Messaging and Collaboration ships 23 providers that use various protocols or APIs to perform actions both locally and on remote servers. A Service Provider should take steps to ensure that this communication cannot be inspected, redirected, or modified by rogue users or systems. Some actions like the following should be taken:

  • Configure firewalls to only allow connections between the MPF engine server and the servers in order to perform necessary provisioning actions.

  • Explicitly disallow MPF Engine servers from connecting to any servers outside of your data center.

  • Configure firewall rules to ensure that only the necessary protocols are open between MPF Engine and provisioned servers. The table below describes the APIs or Protocols used by each provider this may be helpful in defining firewall rules.

    Provider Name Protocol/API Notes

    Active Directory Provider

    System.DirectoryServices

    BlockModelRMO

    System.Data.SQLClient

    Command Line Provider

    CreateProcess (Local Only)

    Computer Management Provider

    System.DirectoryServices Native Advapi32 methods (LSA*) (interop)

    CoreRMO

    System.Data.SQLClient

    DNS Provider

    HTTPS (remote) WMI (local)

    The DNS provider has a .NET remoting component that must be installed on each target DNS server.

    Error Provider

    (Local only)

    Exchange 2007 Mobility Provider

    Powershell Exchange 2007 Cmdlets

    Exchange 2007 Provider

    System.DirectoryServices Powershell Exchange 2007 Cmdlets

    File System Provider

    (Local Only) Various File IO and security APIs

    FrontPage Provider

    System.Web.Services.Protocols

    IIS Provider

    System.DirectoryServices IISOle

    Office Communications Server Provider

    System.DirectoryServices WMI

    Powershell Provider

    (Local Only) PowerShell

    Registry Provider

    Microsoft.Win32.Registry*

    Scripting Provider

    IActiveScript (Interop)

    SharePoint2007Provider

    HTTPS (Remote) Microsoft.SharePoint class library (local)

    The SharePoint2007 Provider has a Web Service component that must be installed on a SharePoint Server, remote MPF Engines use HTTPS to connect to this Web Service.

    SMTP Mail Provider

    System.Net.Mail.SMTPClient

    SQL Admin Provider

    System.Data.SQLClient

    SQL Provider

    OLEDB

    Unified Messaging 2007 Provider

    Powershell Exchange 2007 Cmdlets

    Windows Installer Provider

    WMI

    XML File Provider

    (Local Only) System.IO System.XML