Firewall Wizards mailing list archives
RE: Exchange 2000 and SonicWALL
From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Mon, 25 Feb 2002 09:06:08 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Volker Tanger [mailto:volker.tanger () discon de] Sent: Monday, February 25, 2002 2:01 AM If you want full MSX functionality - won't work in NAT mode - allow NBT (UDP/137-138, TCP/139) from LAN to MSX - allow MS-RPC (TCP/135) from LAN to MSX - allow RPC-Reply (i.e. ANY !) from MSX to LAN The last rule is why you won't want to place a MSX server into a DMZ - because you get no additional protection from it.
This is not quite true. By default, the ports used by the Directory and Information Store are allocated dynamically and queried by the client with RPC. However, you can set these ports to static ports. That allows you to create following rules: Client -> Server: RPC (135/TCP), Static Directory (i.e. 61234/TCP), Static Information Store (i.e. 61235/TCP) Server -> Domain controller: NBT (137/138/139 as listed above) If the server also needs to talk to other Exchange servers (i.e. Public Folders), you need to add rules for them as well. Following Registry keys set static ports for Directory and Info Store: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDS\Para meters: add a value 'TCP/IP Port' (without quotes) of type DWORD and enter your port number. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\Para metersSystem: add a value 'TCP/IP Port' of type DWORD and enter your port number. Above ports should also be fixed for OWA server in a DMZ. That allows you to control the traffic from the OWA box to the Exchange server by: Client -> OWA: HTTP (80/TCP) and/or HTTPS (443/TCP) OWA -> Exchange server: RPC (135/TCP), Static Directory (i.e. 61234/TCP), Static Information Store (i.e. 61235/TCP) OWA -> Domain Controllers: NBT (137/138/139 as listed above) (OWA boxes behave basically like clients) Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBPHpS4MzYtOFvgXQfEQJIbwCg/JBtOn76wmJBug0Zf1v1vmVAXP8An05P aMav+DJWWx7LeSA9LymGRCDo =2M4J -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Exchange 2000 and SonicWALL Alex Randjelovic (Feb 23)
- Re: Exchange 2000 and SonicWALL Volker Tanger (Feb 25)
- <Possible follow-ups>
- Re: Exchange 2000 and SonicWALL Tony Howlett (Feb 24)
- RE: Exchange 2000 and SonicWALL Frank Knobbe (Feb 25)
- RE: Exchange 2000 and SonicWALL Frank Knobbe (Feb 25)