Firewall Wizards mailing list archives

Re: Putting MS servers behind firewalls

From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 8 Jun 2004 08:23:23 -0400 (EDT)

On Mon, 7 Jun 2004, Dilan Walgampaya wrote:

      I ran in to a problem putting Microsoft Servers behind a firewall. The
users has to go through the FW to access the servers. The servers I
wanted to put are on an AD domain. There were AD server, File server and
an Exchange server. These servers need a large no. of services opened
for proper operation. The worse is that exchange server work in a


You're trying to do two mutually incompatible things- Firewalls work by
blocking things- the more they block, the stronger they are.  Microsoft
products "work" by communicating with each other over RPC services, the
more they communicate the better they work.

dynamic port setup where the server opens a random port for each
different client. MS site has some registry edits that is supposed to
correct this dynamic port setup issue. But when I tried these they did
not work as per the document describes.

      Has anybody done this kind of a setup (with other than an ISA server).
I am interested in doing this with Netscreen/Pix and Linux IPTables. Any
help is appreciated.


ISA server theoretically knows enough to proxy the connections- that's
your second-best bet.  Your best bet is to move everything serious behind
the firewall, and put in Citrix or Terminal server, and allow only access
to that service through the firewall.  I'd keep Exchange on the outside
though, since they you're just left with local workstation exposure to
E-mail based malcode.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Putting MS servers behind firewalls Dilan Walgampaya (Jun 07)
- Re: Putting MS servers behind firewalls Luca Berra (Jun 08)
- Re: Putting MS servers behind firewalls Paul D. Robertson (Jun 08)
  - Re: Putting MS servers behind firewalls Devdas Bhagat (Jun 08)
    - Re: Putting MS servers behind firewalls Tichomir Kotek (Jun 09)
- Re: Putting MS servers behind firewalls Dave Piscitello (Jun 08)
- RE: Putting MS servers behind firewalls Mark Gumennik (Jun 08)
  - RE: Putting MS servers behind firewalls Paul D. Robertson (Jun 08)
  - Re: Putting MS servers behind firewalls Dan Harp (Jun 08)
  - Message not available
    - Re: Putting MS servers behind firewalls Victor Williams (Jun 08)
- <Possible follow-ups>
- RE: Putting MS servers behind firewalls Michael H (Jun 07)
  - More infor - Re: Putting MS servers behind firewalls Dilan Walgampaya (Jun 08)
- Re: Putting MS servers behind firewalls firewalladmin (Jun 07)

(Thread continues...)