On top of that, you may want to propose this sort of scenario for maximum protection
Internet <> Firewall <> Exchange Front End Server <> Firewall <> Desktops and Exchange Back End Servers in this way you protect you Exchange system with Antigen and a firewall from the outside world, and cut off access from the exchange box between the two firewalls to your actual mailboxes and pubic folders. It means opening specific ports on the external firewall, while being able to close those, and open others on the internal one. Q280132 should give you a good overview of ports etc in this scenario, and will give you something to give to your IT director as well. This will probably allow you to make the best use of two firewalls HTH -----Original Message----- From: Ambrose, Joseph [mailto:[EMAIL PROTECTED]] Sent: March 21, 2002 4:33 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks One word ANTIGEN www.sybari.com Joseph Ambrose System and Network Manager The Conference Board P: 001-212-339-0443 F: 001-212-836-3802 E: [EMAIL PROTECTED] Visit our Award Winning Web Site: www.conference-board.org -----Original Message----- From: Ken Leyba [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 6:56 PM To: MS-Exchange Admin Issues Subject: RE: Stupid Firewall Tricks No, we have A/V. I'm looking at alternatives to IncoulateIT. ----- Ken Leyba Windows/Exchange System Administrator California State University Dominguez Hills > -----Original Message----- > From: Bob Falkenberg [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:54 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > no anti-virus?????? egads... > > -----Original Message----- > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 20, 2002 3:49 PM > To: MS-Exchange Admin Issues > Subject: RE: Stupid Firewall Tricks > > > That's the rub. We have had no problems with on campus > users. All of our > Exchange problems have been viruses. I would have rather > spent the time and > money on a virus wall, content inspection or an alternative > A/V solution. > > ----- > Ken Leyba > Windows/Exchange System Administrator > California State University Dominguez Hills > > > > -----Original Message----- > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:40 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > I have never worked for an .edu [1], but from my experience > > with people who > > have, they often have users that like to test the boundaries > > of security and > > go as far as their IT department allow. I hope your students > > are not as > > ambitious. > > > > It's great you'll be able to block, say, ftp to Exchange, but > > the other > > holes open up too many opportunities for fun. Move the > firewall from > > between the users and Exchange to between the internet and > the users. > > > > [1] Hi Jamie > > > > > > -----Original Message----- > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, March 20, 2002 3:35 PM > > To: MS-Exchange Admin Issues > > Subject: RE: Stupid Firewall Tricks > > > > > > IT. > > > > ----- > > Ken Leyba > > Windows/Exchange System Administrator > > California State University Dominguez Hills > > > > > > > -----Original Message----- > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:34 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > The more important firewall is between the internet and your > > > organisation. > > > > > > What is this guy a director of? > > > > > > > > > -----Original Message----- > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, March 20, 2002 3:32 PM > > > To: MS-Exchange Admin Issues > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > Yes, the clients will use POP/SMTP, IMAP and MAPI. That > > was my point > > > exactly, we'll have two Swiss Cheese firewalls. Unless the > > > Cisco PIX can do > > > some kind of magic firewall tricks that I don't know about. > > > > > > Ken > > > > > > ----- > > > Ken Leyba > > > Windows/Exchange System Administrator > > > California State University Dominguez Hills > > > > > > > > > > -----Original Message----- > > > > From: William Lefkovics [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, March 20, 2002 3:22 PM > > > > To: MS-Exchange Admin Issues > > > > Subject: RE: Stupid Firewall Tricks > > > > > > > > > > > > How are you intending these users access the exchange server? > > > > MAPI client > > > > like Outlook? > > > > > > > > The holes necessary for your users to communicate with > > > > Exchange are such > > > > that your firewall between the users and Exchange has been > > > > rendered useless. > > > > > > > > > > > > -----Original Message----- > > > > From: Ken Leyba [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, March 20, 2002 3:15 PM > > > > To: MS-Exchange Admin Issues > > > > Subject: Stupid Firewall Tricks > > > > > > > > > > > > Our director wants us to implement a firewall in front of > > > our Windows > > > > 2000/Exchange 5.5 servers. Here is what the scenario is: > > > > > > > > Internet <--> Users <--> Firewall <--> Exchange > > > > > > > > On the Exchange side we have the DC's, Exchange, IMC, OWA, > > > > etc. servers. On > > > > the public side we have the Windows 98/2000 clients, WINS > > > > server (which is a > > > > whole different issue) and Internet. There is a firewall > > before the > > > > Internet connection but it is basically useless since nothing > > > > is configured. > > > > On the private side we are to use NAT, since all the servers > > > > except the > > > > backup server will need to be accessed from the outside I > > > > really don't see > > > > what this is buying us. Basically we are putting a firewall > > > > in front of > > > > Exchange. We are currently testing the configuration but I > > > > think this may > > > > end up being a nightmare once we begin to change the Windows > > > > 2000 servers > > > > (i.e. Active Directory) IP addresses and DNS settings to > > the private > > > > addresses. > > > > > > > > I began by making registry hacks to force the RPC's through > > > > specific ports > > > > but our backbone admin figured out how to configure the PIX > > > > firewall without > > > > me having to make the changes. Now I'm reinstalling the test > > > > server to see > > > > that it's actually working. > > > > > > > > Can anyone give me any ammo as to why this is not the way to > > > > do things. I > > > > have tried to explain but I'm getting nowhere. I don't > > > know maybe I'm > > > > wrong. However it seems it would be safer to implement the > > > > firewall at the > > > > internet connection, we seem to be trying to protect > > > > ourselves from our > > > > users. There would be a lot of politics involved with the > > > > Internet firewall > > > > but it does seem like the way to go. > > > > > > > > Thx, > > > > Ken > > > > > > > > ----- > > > > Ken Leyba > > > > Windows/Exchange System Administrator > > > > California State University Dominguez Hills > > > > > > > > List Charter and FAQ at: > > > > http://www.sunbelt-software.com/exchange_list_charter.htm > > > > > > > > List Charter and FAQ at: > > > > http://www.sunbelt-software.com/exchange_list_charter.htm > > > > > > > > > > List Charter and FAQ at: > > > http://www.sunbelt-software.com/exchange_list_charter.htm > > > > > > List Charter and FAQ at: > > > http://www.sunbelt-software.com/exchange_list_charter.htm > > > > > > > List Charter and FAQ at: > > http://www.sunbelt-software.com/exchange_list_charter.htm > > > > List Charter and FAQ at: > > http://www.sunbelt-software.com/exchange_list_charter.htm > > > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm > List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
