Firewall Wizards mailing list archives
Re: Putting MS servers behind firewalls
From: Johann_van_Duyn () bat com
Date: Wed, 9 Jun 2004 10:32:04 +0200
Hmmm... IPSec won't help much against compromised internal hosts, if that is what the original post seeks to address. How about putting an app proxy firewall (careful... possible latency issues here...) between the servers and the workstations, and set MS Exchange to communicate on specific ports (this can be done via registry settings, as I remember...) rather than promiscuously assigning RPC ports? Then you set the firewall to pass CIFS (or SMB, depending on what the specific firewall calls it...) traffic between the workstation network and the server network, and ditto for traffic on the ports you limit Exchange to using. The CIFS proxy will deal with File and Print as well as AD, while a custom protocol will deal with Exchange. I have something similar (just Notes instead of Exchange) between our country office and head office, and it works very well (with a Symantec Gateway Security appliance with firewall (Symantec enterprise Firewall), IDS/IPS and AV switched on). If you get a multi-function applicance with proxy firewall, IDS/IPS and AV scanning (for WWW, FTP and SMTP) enabled, you will be protecting your servers fairly well, if your configurations are anywhere near sane. Caveat: some app proxy firewalls may need some tuning in order to prevent possible DoS due to the sheer volume of USP traffic that AD can generate. A good idea may be to set up a mini-lab with 3 workstations and an Exchange/AD/Fileserver, and test a few configurations with demo versions of various firewalls and appliances... this should give you a feel for what can realistically be done. Cheers -------------------------------------------------------- J o h a n n v a n D u y n, CISSP -------------------------------------------------------- "A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects." -- Robert Heinlein "Dan Harp" <danh () brenius net> Sent by: firewall-wizards-admin () honor icsalabs com 08-06-2004 18:28 To: firewall-wizards () honor icsalabs com cc: Subject: Re: [fw-wiz] Putting MS servers behind firewalls I would recommend using IPSec if you want to lock down communication between servers and workstations. Have a look at this: http://hfnetchk.shavlik.com/support/ipsec_scan.pdf - Dan <snip!>
Subject: [fw-wiz] Putting MS servers behind firewalls Hi Wizards, I ran in to a problem putting Microsoft Servers behind a
firewall.
The users has to go through the FW to access the servers. The servers I wanted to put are on an AD domain. There were AD server, File server and an Exchange server. These servers need a large no. of services opened for proper operation. The worse is that exchange server work in a dynamic port setup where the server opens a random port for each different client. MS site has some registry edits that is supposed to correct this dynamic port setup issue. But when I tried these they did not work as per the document describes. Has anybody done this kind of a setup (with other than an
ISA
server). I am interested in doing this with Netscreen/Pix and Linux IPTables. Any help is appreciated. Thanks in advance Dilan
______________________________________________________________________ Confidentiality Notice: The information in this document and attachments is confidential and may also be legally privileged. It is intended only for the use of the named recipient. Internet communications are not secure and therefore British American Tobacco does not accept legal responsibility for the contents of this message. If you are not the intended recipient, please notify us immediately and then delete this document. Do not disclose the contents of this document to any other person, nor take any copies. Violation of this notice may be unlawful. ______________________________________________________________________
Current thread:
- Re: Putting MS servers behind firewalls, (continued)
- Re: Putting MS servers behind firewalls Dave Piscitello (Jun 08)
- RE: Putting MS servers behind firewalls Mark Gumennik (Jun 08)
- RE: Putting MS servers behind firewalls Paul D. Robertson (Jun 08)
- Re: Putting MS servers behind firewalls Dan Harp (Jun 08)
- Message not available
- Re: Putting MS servers behind firewalls Victor Williams (Jun 08)
- RE: Putting MS servers behind firewalls Michael H (Jun 07)
- More infor - Re: Putting MS servers behind firewalls Dilan Walgampaya (Jun 08)
- Re: Putting MS servers behind firewalls firewalladmin (Jun 07)
- RE: Putting MS servers behind firewalls Melson, Paul (Jun 08)
- RE: Putting MS servers behind firewalls Kelly, Chris W. (Jun 08)
- Re: Putting MS servers behind firewalls Johann_van_Duyn (Jun 09)