Re: publications concerning port forwarding

Thomas W Shinder writes:

This is WRONG. If you have a true application layer inspection firewall
like the ISA firewall, a single "port" is required.

Leaving lots of trollbait aside:

Portfiltering SMTP, POP3, IMAP, HTTP, HTTPS is a no-brainer. Thus we'll
leave that as home exercise for the student. ;-)


The tricky part of portfiltering MSX is to allow MS-RPC port (tcp/135) and
the according "high ports". This can be done

1.) by using a firewall that has a state engine for MS-RPCs. This applies for the newer MS-ISAs, CheckPoint and experimental Linux netfilter extensions. Please add if you know more.
2.) by allowing tcp/1024-65535 in both directions.
This is not really recommended as that "hole" is a quite big

3.) by allowing a few selected high ports.
MSX can be limited to which port range to use. That requires a few
registry settings:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters
Name: TCP/IP port
Value: REG_DWORD (the port number > 1023)

Name: TCP/IP NSPI port
Value: REG_DWORD (the port number > 1023)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
Name: TCP/IP port
Value: REG_DWORD (the port number > 1023)
You may also need to add
* UDP/TCP 53 (DNS)
* UDP/TCP 88 (Kerberos authentication)
* UDP/TCP 389 (LDAP Access)
* TCP 445 (Microsoft Directory Service)
* TCP 3268 (LDAP to global catalog servers)


This is for generic access. For newer MSX installations you can try to use
Microsoft's RPC-over-HTTP proxy instead - which will obviously needs HTTP(S)
i.e. tcp/80 (443).


Bye

Volker



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

Relevant Pages

  • Re: SBS 2003 and Outlook RPC over HTTP issues
    ... , but some of my clients do not want users to ... definitely closed now cause when I open it up http: ... the article is incorrect in stating that port 80 is needed. ... that port 443 and port 80 must be open to use RPC over HTTP. ...
    (microsoft.public.windows.server.sbs)
  • Re: Public Website on SBS 2003
    ... hosting and PROTECTING a website is specialist field and ... As leythos says you need to open HTTP port to the www. ... network settings are on servers internet connections. ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] tunnel vs open a hole
    ... It does depend on what protocols you are passing through the port or the ... If the protocol is pure HTTP, ... If the protocol is new whizbang multi-media binary with no RFC or complete ... or tunnel over currently open port 80? ...
    (Firewall-Wizards)
  • Re: SBS 2003 and Outlook RPC over HTTP issues
    ... Look in IIS at your Exchweb, Exadmin, exchange-oma, and RPC sites' directory ... Why is it called RPC over HTTP if HTTP is not really needed to be ... As pointed out by others, port 80 does NOT need to be open, and yes, it ... I have about 20 of these SBS machines at other locations and have ...
    (microsoft.public.windows.server.sbs)
  • Re: Help understanding error message
    ... Saravana Kumar [MVP - BizTalk Server] ... Receive port is reported to be HTTP but I don't any see HTTP packets in ... Maybe you set up a two-way send port being directed to a one-way ... Details:"Unable to read data from the transport connection: The ...
    (microsoft.public.biztalk.general)