The more important firewall is between the internet and your organisation.
What is this guy a director of? -----Original Message----- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 3:32 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks Yes, the clients will use POP/SMTP, IMAP and MAPI. That was my point exactly, we'll have two Swiss Cheese firewalls. Unless the Cisco PIX can do some kind of magic firewall tricks that I don't know about. Ken ----- Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -----Original Message----- > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:22 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > How are you intending these users access the exchange server? > MAPI client > like Outlook? > > The holes necessary for your users to communicate with > Exchange are such > that your firewall between the users and Exchange has been > rendered useless. > > > -----Original Message----- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:15 PM > To: MS-Exchange Admin Issues > Subject: Stupid Firewall Tricks > > > Our director wants us to implement a firewall in front of our Windows > 2000/Exchange 5.5 servers. Here is what the scenario is: > > Internet <--> Users <--> Firewall <--> Exchange > > On the Exchange side we have the DC's, Exchange, IMC, OWA, > etc. servers. On > the public side we have the Windows 98/2000 clients, WINS > server (which is a > whole different issue) and Internet. There is a firewall before the > Internet connection but it is basically useless since nothing > is configured. > On the private side we are to use NAT, since all the servers > except the > backup server will need to be accessed from the outside I > really don't see > what this is buying us. Basically we are putting a firewall > in front of > Exchange. We are currently testing the configuration but I > think this may > end up being a nightmare once we begin to change the Windows > 2000 servers > (i.e. Active Directory) IP addresses and DNS settings to the private > addresses. > > I began by making registry hacks to force the RPC's through > specific ports > but our backbone admin figured out how to configure the PIX > firewall without > me having to make the changes. Now I'm reinstalling the test > server to see > that it's actually working. > > Can anyone give me any ammo as to why this is not the way to > do things. I > have tried to explain but I'm getting nowhere. I don't know maybe I'm > wrong. However it seems it would be safer to implement the > firewall at the > internet connection, we seem to be trying to protect > ourselves from our > users. There would be a lot of politics involved with the > Internet firewall > but it does seem like the way to go. > > Thx, > Ken > > ----- > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm