Re: Why is Win Explorer accessing the Net?
From: Lars M. Hansen (badnews_at_hansenonline.net)
Date: Tue, 23 Dec 2003 17:36:51 GMT
On 23 Dec 2003 17:08:53 GMT, Walter Roberson spoketh
>In article <firstname.lastname@example.org>,
>Lars M. Hansen <email@example.com> wrote:
>:On 23 Dec 2003 16:02:22 GMT, Walter Roberson spoketh
>:>Now, not having control over the corporate Exchange servers, how
>:>can I configure the client to stop the server from remembering the
>:>ip + port (both of which could have been dynamically allocated) --
>:>or how can I *reasonably* configure a stateful firewall to
>:>recognize this situation and make the appropriate back-connection
>:>even if the public IP has been long ago reallocated?
>:Simple: A client should never connect to Exchange through a firewall. If
>:external users needs to connect to Exchange, use VPN.
>My firewalls are also VPN devices, and do exactly the same kind of
>adaptive security on connections over IPSec tunnels as is done
>for non-tunneled connections. Also, using a VPN would not solve
>the issue that the public IP address might have changed.
>If I understand correctly, you are suggesting that the way to
>"secure" this MS product is to construct a LAN to LAN VPN that
>presents internal IP addresses to both sides, and which deliberately
>has adaptive security disabled for the tunnel, allowing -all-
>connections through the tunnel ? Doesn't sound very secure to me.
>(No, I don't particularily trust the corporate Exchange servers.)
>Or are you suggesting that rather than a LAN to LAN VPN, that I should
>be installing VPN client software on each of the user machines and have
>that connect through to the server? This possibility would not
>offer any relief to the issue that the Exchange (pre-AD) server wants
>to be able to connect back to the client at arbitrary times
>several days later -- not, that is, unless the clients are to be
>expected to maintain permanent host->server VPN connections just
>in case the Exchange server wants to chat.
No, I'm suggesting that the way to protect your LAN is to use VPN for
external clients to connect to internal network resources. It has very
little to do with Microsoft or anyone elses product.
Just because you have a LAN to LAN VPN, that doesn't mean it has to be
allowing all traffic both ways, but that ofcourse depends on your VPN
solution. Some products allows you to define what type of traffic are
allowed, and some does not. It should also be possible to limit which IP
addresses can be accessed through the VPN, so that clients connecting in
will only have access to whichever servers they need access to and not
to the entire network, but again, that depends on your VPN solution...
As a network admin, I'm more likely to trust the corporate Exchange
server than I am to trust computers connecting in via VPN. At least, I
know what is running on the Exchange server, but I don't know what is
running on the client computer...
With a LAN to LAN VPN, I would expect there to be a permanent
connection, so that when you launch Outlook, it will have immediate
access to the Exchange server (limited by available bandwidth only) and
any other servers you need for the connection (WINS and authentication
servers). This way, when you close Outlook, it can tell Exchange
"goodbye", and Exchange won't be attempting to connect to the client
until you log back in ...
Lars M. Hansen
Remove "bad" from my e-mail address to contact me.