Re: Putting MS servers behind firewalls

[Victor Williams <vbwilliams () neb rr com>]

I don't agree.  You can force Microsoft stuff to do static ports...and 
you'd have to do the same with ANY architecture you 
used...regardless...unless you're going to plant Exchange servers in 
every local subnet you have.

And what he's trying to accomplish is no different than an access list 
on a router on a segregated LAN.

One thing you can do if you're running AD with Windows 2000/XP clients 
is turn off all insecure services and only allow their SSL'ed/encrypted 
counterparts.  This requires a registry change on the server(s) in 
question...to force client connections on secure ports, otherwise refuse 
them.  You can do that with any AD server or Exchange 2000+ for that 
matter...it's a pretty easy deal.  Plenty of Microsoft articles 
addressing it.

> Mark Gumennik wrote:
>
> > Dilan,
> > Consider re-thinking your architecture.
> > Opening MS ports on a fw is practically the same as not having a fw
> > If you're paranoid about users pinging your servers and such put a router
> > ACL with restriction of certain ports
> > Keep in mind that this router (or a fw in your case) becomes a backbone
> > (bottleneck) of your LAN
> > Best of all just put Exchange bridgehead behind a fw (DMZ), open port 
> > 25 to
> > it and put all AD servers on a regular LAN
> > Mark G
> >
> > -----Original Message-----
> > From: firewall-wizards-admin () honor icsalabs com
> > [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Dilan
> > Walgampaya
> > Sent: Monday, June 07, 2004 2:24 AM
> > To: firewall-wizards () honor icsalabs com
> > Subject: [fw-wiz] Putting MS servers behind firewalls
> >
> > Hi Wizards,
> >
> > I ran in to a problem putting Microsoft Servers behind a firewall.
> > The
> > users has to go through the FW to access the servers. The servers I
> > wanted to put are on an AD domain. There were AD server, File server and
> > an Exchange server. These servers need a large no. of services opened
> > for proper operation. The worse is that exchange server work in a
> > dynamic port setup where the server opens a random port for each
> > different client. MS site has some registry edits that is supposed to
> > correct this dynamic port setup issue. But when I tried these they did
> > not work as per the document describes.
> >
> > Has anybody done this kind of a setup (with other than an ISA
> > server).
> > I am interested in doing this with Netscreen/Pix and Linux IPTables. Any
> > help is appreciated.
> >
> >
> >
> > Thanks in advance
> >
> > Dilan
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () honor icsalabs com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () honor icsalabs com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards