Firewall Wizards mailing list archives
Re: Putting MS servers behind firewalls
From: Victor Williams <vbwilliams () neb rr com>
Date: Tue, 08 Jun 2004 12:55:15 -0500
I don't agree. You can force Microsoft stuff to do static ports...and you'd have to do the same with ANY architecture you used...regardless...unless you're going to plant Exchange servers in every local subnet you have.
And what he's trying to accomplish is no different than an access list on a router on a segregated LAN.
One thing you can do if you're running AD with Windows 2000/XP clients is turn off all insecure services and only allow their SSL'ed/encrypted counterparts. This requires a registry change on the server(s) in question...to force client connections on secure ports, otherwise refuse them. You can do that with any AD server or Exchange 2000+ for that matter...it's a pretty easy deal. Plenty of Microsoft articles addressing it.
Mark Gumennik wrote:Dilan, Consider re-thinking your architecture. Opening MS ports on a fw is practically the same as not having a fw If you're paranoid about users pinging your servers and such put a router ACL with restriction of certain ports Keep in mind that this router (or a fw in your case) becomes a backbone (bottleneck) of your LANBest of all just put Exchange bridgehead behind a fw (DMZ), open port 25 toit and put all AD servers on a regular LAN Mark G -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Dilan Walgampaya Sent: Monday, June 07, 2004 2:24 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Putting MS servers behind firewalls Hi Wizards, I ran in to a problem putting Microsoft Servers behind a firewall. The users has to go through the FW to access the servers. The servers I wanted to put are on an AD domain. There were AD server, File server and an Exchange server. These servers need a large no. of services opened for proper operation. The worse is that exchange server work in a dynamic port setup where the server opens a random port for each different client. MS site has some registry edits that is supposed to correct this dynamic port setup issue. But when I tried these they did not work as per the document describes. Has anybody done this kind of a setup (with other than an ISA server). I am interested in doing this with Netscreen/Pix and Linux IPTables. Any help is appreciated. Thanks in advance Dilan _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Putting MS servers behind firewalls Dilan Walgampaya (Jun 07)
- Re: Putting MS servers behind firewalls Luca Berra (Jun 08)
- Re: Putting MS servers behind firewalls Paul D. Robertson (Jun 08)
- Re: Putting MS servers behind firewalls Devdas Bhagat (Jun 08)
- Re: Putting MS servers behind firewalls Tichomir Kotek (Jun 09)
- Re: Putting MS servers behind firewalls Devdas Bhagat (Jun 08)
- Re: Putting MS servers behind firewalls Dave Piscitello (Jun 08)
- RE: Putting MS servers behind firewalls Mark Gumennik (Jun 08)
- RE: Putting MS servers behind firewalls Paul D. Robertson (Jun 08)
- Re: Putting MS servers behind firewalls Dan Harp (Jun 08)
- Message not available
- Re: Putting MS servers behind firewalls Victor Williams (Jun 08)
- <Possible follow-ups>
- RE: Putting MS servers behind firewalls Michael H (Jun 07)
- More infor - Re: Putting MS servers behind firewalls Dilan Walgampaya (Jun 08)
- Re: Putting MS servers behind firewalls firewalladmin (Jun 07)
- RE: Putting MS servers behind firewalls Melson, Paul (Jun 08)
- RE: Putting MS servers behind firewalls Kelly, Chris W. (Jun 08)
- Re: Putting MS servers behind firewalls Johann_van_Duyn (Jun 09)