RE: Putting MS servers behind firewalls

["Melson, Paul" <PMelson () sequoianet com>]

Yes, but it's god-awful and relatively insecure, especially since most
of the services that must talk bi-directionally through the firewall
have been attack vectors for recent worms.  In addition to DNS,
Kerberos, LDAP, and NetBIOS (135-139, 445), you will also need to
statically assign DCOM/RPC ports.  Sounds like you've already tried
this.  I've had a reasonable amount of success with this for both
Exchange and BackupExec.  Link here:

http://www.microsoft.com/com/wpaper/dcomfw.asp

PaulM


> -----Original Message-----
> From: Dilan Walgampaya [mailto:Dilan () dpitl com] 
> Sent: Monday, June 07, 2004 2:24 AM
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] Putting MS servers behind firewalls
>
>
> Hi Wizards,
>
>       I ran in to a problem putting Microsoft Servers behind 
> a firewall. The 
> users has to go through the FW to access the servers. The servers I 
> wanted to put are on an AD domain. There were AD server, File 
> server and 
> an Exchange server. These servers need a large no. of services opened 
> for proper operation. The worse is that exchange server work in a 
> dynamic port setup where the server opens a random port for each 
> different client. MS site has some registry edits that is supposed to 
> correct this dynamic port setup issue. But when I tried these 
> they did 
> not work as per the document describes.
>
>       Has anybody done this kind of a setup (with other than 
> an ISA server). 
> I am interested in doing this with Netscreen/Pix and Linux 
> IPTables. Any 
> help is appreciated.
>
>
>
> Thanks in advance
>
> Dilan
> _______________________________________________
> firewall-wizards mailing list firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards