Re: Sonicwall Pro 230 DMZ windows authentication problem
From: David (davidwnh_at_adelphia.net)
Date: 05/11/03
- Next message: David: "Re: Firewall log for BEFSX41"
- Previous message: jean claude: "Re: Norton firewall with norton"
- In reply to: furgus news: "Re: Sonicwall Pro 230 DMZ windows authentication problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 11 May 2003 18:26:51 GMT
> If I continue with the plan to run owa in the dmz and exchange in the lan,
> with exchange on a w2k box, and I'm indifferent (although preferring w2k)
> for the dmz box os, are you saying that I'd be better off with exchange
2000
> over 5.5? This is a company with only three mail accounts for 6 users,
with
> minimal requirements, so there's no reason to upgrade unless there are
> compelling security reasons.
With three accounts for six users upgrading almost anything is not cost
effective I would think. If you are only giving them additional access from
their homes then you might be able to use packet filters for all of your
server access into the DMZ. If you can packet filter ALL your available
internet access to the DMZ services so that you are not effectively allowing
public access to any of them, then having some of the additional DMZ to LAN
connections for NetBIOS, RPC, AD, etc. is not nearly as bad and can be done
with a lot less risk. If you are looking to give them access from the road,
however, then packet filtering may not be an option, so you would
effectively be setting up the services for public access. You can run the
services on high non standard ports to hide them from the usual automated
scanning tools and worms, which isn't perfect but also severely reduces the
risk associated with what you are trying to do. (This may not be possible
with FTP since NAT translators are used with NAT traversals and are usually
only applied to the normal FTP ports) Otherwise if you are trying to provide
mobile access and hence cannot effectively use packet filtering then setting
up one of your internal servers for RAS dial-ins might be a better solution.
If your mobile users are dialing into ISP's for this then you may not be
reducing the bandwith available in the first place, and are possibly only
looking at a higher long-distance bill, since RAS comes with the server OS.
Otherwise VPN connections might be feasible if you already have most or all
of the capability.
The Planning Guide for Exchange Server explains the different ports
necessary between the two versions. It's Chapter 10-Planning OWA Access
Servers. I get my info from a Technet Subscription, but this info should be
reproduced somewhere on MS's Technet website. The big difference is that
with Exchange 2000 the fe/be connection works through http/DAV as opposed to
using MAPI.
For Exchange 2K you simply have to look at what each port is for to figure
out how to eliminate its access. OWA queries the global catalog to find the
backend exchange server that has the user store for each specific user
logging in. Since you only have one user store than the lookup is
unnecessary because all OWA access will be retrieving information from the
same backend exchange server and can be "hardcoded". This is also found
somewhere in Technet, and probably also on the MS Technet website.
>
> Is there a techno you can point me to that explains the port requirements
> and the technique for limiting the ports as you describe?
- Next message: David: "Re: Firewall log for BEFSX41"
- Previous message: jean claude: "Re: Norton firewall with norton"
- In reply to: furgus news: "Re: Sonicwall Pro 230 DMZ windows authentication problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
