Re: Why is Win Explorer accessing the Net?

From: Lars M. Hansen (badnews_at_hansenonline.net)
Date: 12/23/03

Next message: phn_at_icke-reklam.ipsec.nu: "Re: Security through wide system use?"
Previous message: Lassi Hippeläinen : "Re: Security through wide system use?"
In reply to: Walter Roberson: "Re: Why is Win Explorer accessing the Net?"
Next in thread: Leythos: "Re: Why is Win Explorer accessing the Net?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 23 Dec 2003 17:36:51 GMT

On 23 Dec 2003 17:08:53 GMT, Walter Roberson spoketh

>In article <vksguv01ig96sqssp41hpjsfh8hqnskh50@4ax.com>,
>Lars M. Hansen <badnews@hansenonline.net> wrote:
>:On 23 Dec 2003 16:02:22 GMT, Walter Roberson spoketh
>
>
>:>Now, not having control over the corporate Exchange servers, how
>:>can I configure the client to stop the server from remembering the
>:>ip + port (both of which could have been dynamically allocated) --
>:>or how can I *reasonably* configure a stateful firewall to
>:>recognize this situation and make the appropriate back-connection
>:>even if the public IP has been long ago reallocated?
>
>:Simple: A client should never connect to Exchange through a firewall. If
>:external users needs to connect to Exchange, use VPN.
>
>My firewalls are also VPN devices, and do exactly the same kind of
>adaptive security on connections over IPSec tunnels as is done
>for non-tunneled connections. Also, using a VPN would not solve
>the issue that the public IP address might have changed.
>
>If I understand correctly, you are suggesting that the way to
>"secure" this MS product is to construct a LAN to LAN VPN that
>presents internal IP addresses to both sides, and which deliberately
>has adaptive security disabled for the tunnel, allowing -all-
>connections through the tunnel ? Doesn't sound very secure to me.
>(No, I don't particularily trust the corporate Exchange servers.)
>
>Or are you suggesting that rather than a LAN to LAN VPN, that I should
>be installing VPN client software on each of the user machines and have
>that connect through to the server? This possibility would not
>offer any relief to the issue that the Exchange (pre-AD) server wants
>to be able to connect back to the client at arbitrary times
>several days later -- not, that is, unless the clients are to be
>expected to maintain permanent host->server VPN connections just
>in case the Exchange server wants to chat.

No, I'm suggesting that the way to protect your LAN is to use VPN for
external clients to connect to internal network resources. It has very
little to do with Microsoft or anyone elses product.

Just because you have a LAN to LAN VPN, that doesn't mean it has to be
allowing all traffic both ways, but that ofcourse depends on your VPN
solution. Some products allows you to define what type of traffic are
allowed, and some does not. It should also be possible to limit which IP
addresses can be accessed through the VPN, so that clients connecting in
will only have access to whichever servers they need access to and not
to the entire network, but again, that depends on your VPN solution...

As a network admin, I'm more likely to trust the corporate Exchange
server than I am to trust computers connecting in via VPN. At least, I
know what is running on the Exchange server, but I don't know what is
running on the client computer...

With a LAN to LAN VPN, I would expect there to be a permanent
connection, so that when you launch Outlook, it will have immediate
access to the Exchange server (limited by available bandwidth only) and
any other servers you need for the connection (WINS and authentication
servers). This way, when you close Outlook, it can tell Exchange
"goodbye", and Exchange won't be attempting to connect to the client
until you log back in ...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.

Next message: phn_at_icke-reklam.ipsec.nu: "Re: Security through wide system use?"
Previous message: Lassi Hippeläinen : "Re: Security through wide system use?"
In reply to: Walter Roberson: "Re: Why is Win Explorer accessing the Net?"
Next in thread: Leythos: "Re: Why is Win Explorer accessing the Net?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: vpn access from hotel room
... If you have a dedicated workstation on the LAN (or just access to any LAN ... users to keep all their data on the server so it's ... A VPN requires significantly more bandwidth ... If you're laptop has been joined to the SBS domain, ...
(microsoft.public.windows.server.sbs)
Re: Routes
... succeed with the original requirements because it won't limit LAN access to the ... access to only the Terminal Server by using something like ISA,...once the user ... I will allow full network access to the VPN clients. ... terminate at the servers and no further into the LAN. ...
(microsoft.public.windows.server.networking)
Re: Exchange 2 Domains
... approx 50 PC's and no exchange. ... The Site B that is merging with site A will be getting a new server ... VPN between two compatible firewalls/routers would be a good thing. ... profile over a WAN link, even if the profile is small. ...
(microsoft.public.exchange.setup)
Re: Exchange 2 Domains
... DHCP, DNS, approx 50 PC's and no exchange. ... The Site B that is merging with site A will be getting a new server ... VPN between two compatible firewalls/routers would be a good thing. ... profile over a WAN link, even if the profile is small. ...
(microsoft.public.exchange.setup)
Re: Horrible VPN Performance
... Comment vis a vis running websites on SBS. ... VPN implementation in Microsoft software and talk to the ... > server database to scrap. ... which uses a workstation on the LAN running ...
(microsoft.public.windows.server.sbs)