Re: Sonicwall Pro 230 DMZ windows authentication problem
From: furgus news (bob_at_furgus.com)
Date: 05/10/03
- Next message: Dave: "ZoneAlarm Pro using 100 of dual CPU"
- Previous message: Duane Arnold: "Re: Firewall log for BEFSX41"
- In reply to: Don Kelloway: "Re: Sonicwall Pro 230 DMZ windows authentication problem"
- Next in thread: David: "Re: Sonicwall Pro 230 DMZ windows authentication problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 10 May 2003 15:14:24 GMT
I just replaced the w2k dmz machine with an nt4 server, and set up port 25,
135, 137 through 139 and dns between the dmz machine and the domain
controllers and now everything works fine. I expect that once I set the
registry keys to fix the rpc ports, then OWA should work.
This leaves me confused why the w2k server didn't work. I'd found a pair of
technotes on setting up exchange 2000 through a firewall dmz, and it listed
all the ports required. This would have w2k and exchange 2000 communicating
with the lan segment. I opened all these ports and alternatively created a
"default all dmz ->lan" rule but neither worked for windows authentication.
Most confusingly, there were no entries in the log of dropped traffic
between dmz and lan, so it's possible that all ports were open.
Rather then replace the dmz w2k box with another w2k box, I went backwards
to nt4, so I could close all the active directory ports.
What is the best-practice way to set up OWA through a firewall? I'm still
surprised to find no info about this, given the market share of exchange.
"Don Kelloway" <dkelloway@commodon.com> wrote in message
news:qHPua.44$mf1.21@tornadotest1.news.pas.earthlink.net...
> "Don Kelloway" <dkelloway@commodon.com> wrote in message
> news:HEPua.43$mf1.31@tornadotest1.news.pas.earthlink.net...
> > If I am mistaken, I apologize. It was originally stated that this
server
> is
> > part of the domain and that there has been issues to authenticate
because
> > the server cannot communicate with a Domain Controller (DC) or Active
> > Directory Server (ADS). This is quite opposite of being a standalone
> > server.
> >
> > A standalone server would best be described as a server that does not
> > require the need to login to or be a part of a domain. Hence its
ability
> to
> > "stand alone". A standalone server is one that you would login locally
to
> > the server itself.
> >
> > In further respect to your situation and I if I understand it correctly.
> > The purpose of the server in the DMZ is to act as an SMTP server for
> > accepting incoming mail from the 'net and subsequently relay the mail
(via
> > SMTP) to an MS Exchange server (MSX) located within the LAN. Thus the
> only
> > protocol required to be passed inbound through the firewall (from the
DMZ
> to
> > the LAN) is SMTP (TCP port 25). Nothing else is required. And a
> previously
> > stated, to prevent authentication related issues between the server on
the
> > DMZ and the DC or ADS, ensure that you login locally to the server on
the
> > DMZ.
> >
>
> While I did not specify it. You also need to ensure that the firewall is
> configured to allow SMTP (TCP port 25) from the Internet (WAN) to the DMZ.
>
> --
> Best regards,
> Don Kelloway
> Commodon Communications
>
> Visit http://www.commodon.com to learn about the "Threats to Your Security
> on the Internet".
>
>
- Next message: Dave: "ZoneAlarm Pro using 100 of dual CPU"
- Previous message: Duane Arnold: "Re: Firewall log for BEFSX41"
- In reply to: Don Kelloway: "Re: Sonicwall Pro 230 DMZ windows authentication problem"
- Next in thread: David: "Re: Sonicwall Pro 230 DMZ windows authentication problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
