The exec's "won't put up with it". So when your Exchange server and all the exec stuff within suddenly belongs to someone else, you can console them with the fact that they did once-upon-a-time get their e-mails 2 or 3 seconds (or whatever) faster over their much-preferred configuration.
My apologies to Aaron and all for another no-real-tech-help-but-more-rant posting. Just wanted to drop this note since I'm in the process of reading the book "Hackers Beware" (Eric Cole, SANS Institute) and IMHO the intro and initial chapters of this book would probably be some good ammo for those fighting the "good fight" within a management or organizational thought process that places security concerns at or near the bottom of the priority list. The entire book is top notch, but the intro in particular is closer to "exec-speak"(1). Get this book (if you can or if you have not already - and there are several other great sources of info as you know), gather up all the comments like those from Bruce and the other very knowledgeable admins on this and any other related lists that you may subscribe to (all the credible answers to their inevitable "why should we bother" line of questioning), and let your boss know what a really, really, really bad idea it is to open up your server like this. If you have to do it ther way, go down screaming. I piss off someone here almost daily by doing the right thing or complaining about the wrong choices (OK, so I only got a "C" in Organizational Behavior 101 but my conscience is clear and ultimately the users as a whole do benefit). Strap on the ice-packs and save them from themselves. I know, easier said than done. What the hell, a career change now and then isn't so bad. BTW, anybody out there hiring? (just kidding - but my ice packs are melting...) walkin' the tightrope... randy. (1) Further apologies to those very well-informed "execs" who do hold security in a higher regard (some of whom frequent this list and other security-realted lists and have helped me out a great deal). > -----Original Message----- > From: Briggs, Bruce [SMTP:[EMAIL PROTECTED]] > Sent: November 7, 2001 4:08 PM > To: MS-Exchange Admin Issues > Subject: RE: Exchange access through a firewall > > I would suggest finding out about the VPN performance problems. VPN should > not be so much slower than native. > Watchguard offers both an IPSEC and a PPTP VPN option. > > Doing it this way is asking for the client's Exchange server to be hacked. > > > Bruce Briggs > System Administration > State University of NY > > -----Original Message----- > From: Aaron Kennedy [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 07, 2001 3:32 PM > To: MS-Exchange Admin Issues > Subject: Exchange access through a firewall > > > The executives at one of our clients do a fair number of road-trips and > have become accustomed to being able to use Outlook to access their > Exchange server directly over the internet. This is not my preferred > solution (it was set up on their old Exchange 5.5 server by one of their > previous support companies), but the execs say that VPN is so much slower > that they won't put up with it. > > We recently upgraded their 5.5 server to 2000 and I set up the 2000 server > to allow access through the firewall according to the MS documentation > (Q270836). I have opened the necessary ports (port 135, 3 ports manually > configured in the registry, and port 1026 for authentication), but I have > found that when attempting to connect directly from any internet > connection that numerous time-outs occur ("Retry/Work Offline" dialog pops > up). Usually, if you press Retry about 3 times (sometimes as many as 15), > it does finally connect and everything seems ok after that. Sometimes it > connects first try. > > Watching the logs on the firewall, it seems that the connection starts to > initialize (traffic on the RFR Interface port, sometimes the IS Interface > port), but then dies. Usually, after trying two or three times, we > finally see traffic on all 5 ports (1026 seems to be the key, obviously) > and suddenly everything connects and works. I don't believe this is a > firewall issue as the logging on the firewall seems to indicate the > traffic isn't even reaching it and we are having no other internet > connectivity issues there. > > The client has a single Exchange 2000 server (SP1) on Win2k Server (SP2). > They have a Watchguard Firebox II firewall. The clients are running Win98 > or Win2k and Outlook 2000 with various SR/hotfixes applied. All PCs > exhibit the same problem. I have tried this over cable modem, DSL, and > dial-up connections. The dial-up connections seem a little worse, but > they all have the same problem. > > Any hints would be appreciated... > > -Aaron > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal For more information please visit www.marshalsoftware.com ##################################################################################### List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
