Firewall Wizards mailing list archives
Re: Putting MS servers behind firewalls
From: <firewalladmin () bellsouth net>
Date: Mon, 7 Jun 2004 13:35:34 -0400
Hi Dilan: Yes, you have a dilemma by putting MS servers behind an internal firewall. A few tips are the best I can offer, and forgive me if these are very general in nature and you may already know this: 1. MS uses the dangerous netbios ports extensively which you would need to allow inbound to the servers. These include TCP ports 135, 139, 445 and 1045 along with UDP ports 137 and 138. 2. You need to allow the obvious DNS UDP 53 in/out for name lookups. 3. You need to allow inbound TCP 25 to the exchange server (at least). 4. I would allow the "established connection" outbound rule for the random port problem and see if it works. That way, a client connects to the mail server on an allowed port (25) and regardless of the reply port Exchange sets up, the firewall should know that is an "established" connection (also known as statefull inspection) and allow the traffic to pass. 5. Run TCPDump or Ethereal on your firewall to test the connections and see what else is going on that you may want to allow/disallow. Hope this helps a little. [:o) Mark ============================================================ From: Dilan Walgampaya <Dilan () dpitl com> Date: 2004/06/07 Mon AM 02:23:34 EDT To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Putting MS servers behind firewalls Hi Wizards, I ran in to a problem putting Microsoft Servers behind a firewall. The users has to go through the FW to access the servers. The servers I wanted to put are on an AD domain. There were AD server, File server and an Exchange server. These servers need a large no. of services opened for proper operation. The worse is that exchange server work in a dynamic port setup where the server opens a random port for each different client. MS site has some registry edits that is supposed to correct this dynamic port setup issue. But when I tried these they did not work as per the document describes. Has anybody done this kind of a setup (with other than an ISA server). I am interested in doing this with Netscreen/Pix and Linux IPTables. Any help is appreciated. Thanks in advance Dilan _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards ============================================================ Mark F. MCP, CCNA "You can spend your life any way you want... But you can only spend it once." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Putting MS servers behind firewalls, (continued)
- Re: Putting MS servers behind firewalls Paul D. Robertson (Jun 08)
- Re: Putting MS servers behind firewalls Devdas Bhagat (Jun 08)
- Re: Putting MS servers behind firewalls Tichomir Kotek (Jun 09)
- Re: Putting MS servers behind firewalls Devdas Bhagat (Jun 08)
- Re: Putting MS servers behind firewalls Dave Piscitello (Jun 08)
- RE: Putting MS servers behind firewalls Mark Gumennik (Jun 08)
- RE: Putting MS servers behind firewalls Paul D. Robertson (Jun 08)
- Re: Putting MS servers behind firewalls Dan Harp (Jun 08)
- Message not available
- Re: Putting MS servers behind firewalls Victor Williams (Jun 08)
- Re: Putting MS servers behind firewalls Paul D. Robertson (Jun 08)
- RE: Putting MS servers behind firewalls Michael H (Jun 07)
- More infor - Re: Putting MS servers behind firewalls Dilan Walgampaya (Jun 08)
- Re: Putting MS servers behind firewalls firewalladmin (Jun 07)
- RE: Putting MS servers behind firewalls Melson, Paul (Jun 08)
- RE: Putting MS servers behind firewalls Kelly, Chris W. (Jun 08)
- Re: Putting MS servers behind firewalls Johann_van_Duyn (Jun 09)