Re: Why is Win Explorer accessing the Net?

From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 12/23/03

  • Next message: Lassi Hippeläinen : "Re: Security through wide system use?" 
    Date: 23 Dec 2003 17:08:53 GMT

    In article <vksguv01ig96sqssp41hpjsfh8hqnskh50@4ax.com>,
    Lars M. Hansen <badnews@hansenonline.net> wrote:
    :On 23 Dec 2003 16:02:22 GMT, Walter Roberson spoketh

    :>Now, not having control over the corporate Exchange servers, how
    :>can I configure the client to stop the server from remembering the
    :>ip + port (both of which could have been dynamically allocated) --
    :>or how can I *reasonably* configure a stateful firewall to
    :>recognize this situation and make the appropriate back-connection
    :>even if the public IP has been long ago reallocated?

    :Simple: A client should never connect to Exchange through a firewall. If
    :external users needs to connect to Exchange, use VPN.

    My firewalls are also VPN devices, and do exactly the same kind of
    adaptive security on connections over IPSec tunnels as is done
    for non-tunneled connections. Also, using a VPN would not solve
    the issue that the public IP address might have changed.

    If I understand correctly, you are suggesting that the way to
    "secure" this MS product is to construct a LAN to LAN VPN that
    presents internal IP addresses to both sides, and which deliberately
    has adaptive security disabled for the tunnel, allowing -all-
    connections through the tunnel ? Doesn't sound very secure to me.
    (No, I don't particularily trust the corporate Exchange servers.)

    Or are you suggesting that rather than a LAN to LAN VPN, that I should
    be installing VPN client software on each of the user machines and have
    that connect through to the server? This possibility would not
    offer any relief to the issue that the Exchange (pre-AD) server wants
    to be able to connect back to the client at arbitrary times
    several days later -- not, that is, unless the clients are to be
    expected to maintain permanent host->server VPN connections just
    in case the Exchange server wants to chat. 

    -- 
100% of all human deaths occur within 100 miles of Earth.
  • Next message: Lassi Hippeläinen : "Re: Security through wide system use?"

    Relevant Pages

    • Re: VPN clients unable to connect to other resources.
      ... gateway matches the IP of the remote client, and DNS and WINS point to the ... remote (although it takes close to a minute to connect, ... This is just regular Windows VPN, ... VPN server, remote routing and access running on the SBS 2003 server ...
      (microsoft.public.windows.server.sbs)
    • RE: Problems with connectcomputer and active directory
      ... I understand that you would like to join a remote client to the domain. ... If you have hardware VPN tunnel setup using Linksys or others, ... In this scenario you have to configure the SBS Server computer to enable ... Create a VPN connection to ISA/RRAS on the Internet ...
      (microsoft.public.windows.server.sbs)
    • RE: Remote connectivity problems
      ... do you mean you have added a remote client to SBS ... If you have hardware VPN tunnel setup using Linksys or others, ... In this scenario you have to configure the SBS Server computer to enable ...
      (microsoft.public.windows.server.sbs)
    • Re: VPN clients unable to connect to other resources.
      ... Are you saying that an XP Home PC wouldn't be able to connect to a server share over VPN? ... Can ping the SBS but not the client PCs on the same network. ... gateway matches the IP of the remote client, ...
      (microsoft.public.windows.server.sbs)
    • Re: Secure VPN access
      ... with it's security option for the client. ... After getting the VPN connection I check the Ip settings and found the ... point to the head ISP's DNS server. ... > Computer certificates for L2TP/IPSec VPN connections ...
      (microsoft.public.windows.server.sbs)