Firewall Wizards mailing list archives

RE: Exchange 2000 and SonicWALL

From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Mon, 25 Feb 2002 09:06:08 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-----Original Message-----
From: Volker Tanger [mailto:volker.tanger () discon de]
Sent: Monday, February 25, 2002 2:01 AM

If you want full MSX functionality
      - won't work in NAT mode
      - allow NBT (UDP/137-138, TCP/139) from LAN to MSX
      - allow MS-RPC (TCP/135) from LAN to MSX
      - allow RPC-Reply (i.e. ANY !) from MSX to LAN

The last rule is why you won't want to place a MSX server 
into a DMZ - 
because you get no additional protection from it.



This is not quite true. By default, the ports used by the Directory
and Information Store are allocated dynamically and queried by the
client with RPC. However, you can set these ports to static ports.
That allows you to create following rules:

Client -> Server:
RPC (135/TCP), Static Directory (i.e. 61234/TCP), Static Information
Store (i.e. 61235/TCP)

Server -> Domain controller:
NBT (137/138/139 as listed above)

If the server also needs to talk to other Exchange servers (i.e.
Public Folders), you need to add rules for them as well.


Following Registry keys set static ports for Directory and Info
Store:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDS\Para
meters:
add a value 'TCP/IP Port' (without quotes) of type DWORD and enter
your port number.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\Para
metersSystem:
add a value 'TCP/IP Port' of type DWORD and enter your port number.


Above ports should also be fixed for OWA server in a DMZ. That allows
you to control the traffic from the OWA box to the Exchange server
by:

Client -> OWA:
HTTP (80/TCP) and/or HTTPS (443/TCP)

OWA -> Exchange server:
RPC (135/TCP), Static Directory (i.e. 61234/TCP), Static Information
Store (i.e. 61235/TCP)

OWA -> Domain Controllers:
NBT (137/138/139 as listed above)


(OWA boxes behave basically like clients)


Regards,
Frank


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBPHpS4MzYtOFvgXQfEQJIbwCg/JBtOn76wmJBug0Zf1v1vmVAXP8An05P
aMav+DJWWx7LeSA9LymGRCDo
=2M4J
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Exchange 2000 and SonicWALL Alex Randjelovic (Feb 23)
- Re: Exchange 2000 and SonicWALL Volker Tanger (Feb 25)
- <Possible follow-ups>
- Re: Exchange 2000 and SonicWALL Tony Howlett (Feb 24)
- RE: Exchange 2000 and SonicWALL Frank Knobbe (Feb 25)
- RE: Exchange 2000 and SonicWALL Frank Knobbe (Feb 25)