That's the rub. We have had no problems with on campus users. All of our Exchange problems have been viruses. I would have rather spent the time and money on a virus wall, content inspection or an alternative A/V solution.
----- Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -----Original Message----- > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:40 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > I have never worked for an .edu [1], but from my experience > with people who > have, they often have users that like to test the boundaries > of security and > go as far as their IT department allow. I hope your students > are not as > ambitious. > > It's great you'll be able to block, say, ftp to Exchange, but > the other > holes open up too many opportunities for fun. Move the firewall from > between the users and Exchange to between the internet and the users. > > [1] Hi Jamie > > > -----Original Message----- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:35 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > IT. > > ----- > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -----Original Message----- > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:34 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > The more important firewall is between the internet and your > > organisation. > > > > What is this guy a director of? > > > > > > -----Original Message----- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:32 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That > was my point > > exactly, we'll have two Swiss Cheese firewalls. Unless the > > Cisco PIX can do > > some kind of magic firewall tricks that I don't know about. > > > > Ken > > > > ----- > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -----Original Message----- > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:22 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > How are you intending these users access the exchange server? > > > MAPI client > > > like Outlook? > > > > > > The holes necessary for your users to communicate with > > > Exchange are such > > > that your firewall between the users and Exchange has been > > > rendered useless. > > > > > > > > > -----Original Message----- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:15 PM > > > To: MS-Exchange Admin Issues > > > Subject: Stupid Firewall Tricks > > > > > > > > > Our director wants us to implement a firewall in front of > > our Windows > > > 2000/Exchange 5.5 servers. Here is what the scenario is: > > > > > > Internet <--> Users <--> Firewall <--> Exchange > > > > > > On the Exchange side we have the DC's, Exchange, IMC, OWA, > > > etc. servers. On > > > the public side we have the Windows 98/2000 clients, WINS > > > server (which is a > > > whole different issue) and Internet. There is a firewall > before the > > > Internet connection but it is basically useless since nothing > > > is configured. > > > On the private side we are to use NAT, since all the servers > > > except the > > > backup server will need to be accessed from the outside I > > > really don't see > > > what this is buying us. Basically we are putting a firewall > > > in front of > > > Exchange. We are currently testing the configuration but I > > > think this may > > > end up being a nightmare once we begin to change the Windows > > > 2000 servers > > > (i.e. Active Directory) IP addresses and DNS settings to > the private > > > addresses. > > > > > > I began by making registry hacks to force the RPC's through > > > specific ports > > > but our backbone admin figured out how to configure the PIX > > > firewall without > > > me having to make the changes. Now I'm reinstalling the test > > > server to see > > > that it's actually working. > > > > > > Can anyone give me any ammo as to why this is not the way to > > > do things. I > > > have tried to explain but I'm getting nowhere. I don't > > know maybe I'm > > > wrong. However it seems it would be safer to implement the > > > firewall at the > > > internet connection, we seem to be trying to protect > > > ourselves from our > > > users. There would be a lot of politics involved with the > > > Internet firewall > > > but it does seem like the way to go. > > > > > > Thx, > > > Ken > > > > > > ----- > > > Ken Leyba > > > Windows/Exchange System Administrator > > > California State University Dominguez Hills > > > > > > List Charter and FAQ at: > > > http://www.sunbelt-software.com/exchange_list_charter.htm > > > > > > List Charter and FAQ at: > > > http://www.sunbelt-software.com/exchange_list_charter.htm > > > > > > > List Charter and FAQ at: > > http://www.sunbelt-software.com/exchange_list_charter.htm > > > > List Charter and FAQ at: > > http://www.sunbelt-software.com/exchange_list_charter.htm > > > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm