On Mon, 31 May 1999, Chris Brenton wrote:
> > > In short, you can get DCOM to place nice with a firewall by making some
> > > registry changes. The changes allow you to pick and choose the ports
> > > DCOM will use. This will allow you to setup a couple of plugs in order
> > > to pass the traffic.
> > IMHO this doesn't work because DCOM embeds the IP addresses of the
> > endpoints in the content.
>
> Good point. I assumed that since MS Proxy was given as a possible
> solution, that legal rather than private addresses where being used.
What _exactly_ did you do?
Did you just open the ports on a packet filter? This obviously works.
Or did you use somethink like plug-gw, a TCP level proxy? That's what I
understood as "plug". This should not work without evil hacks like
"reNATing" the IP addresses.
> Actually, it does solve the call back problem. The client will only use
> ports specified by the server. If you have limited the port range on the
> server, the client will only use these ports. Thus no client hacks are
> required.
Again, if you're just filtering it should work. But the normal plug-gw is
not bidirectional.
> Seeing as this is a "business need vs. risk assessment" issue, I will
> not go there.
If the risk is too big balancing needs and risks becomes hard.
> Suffice to say that not everyone is in the same position
> to dictate what will or what will not be passed though the firewalls
> they manage. ;)
I'm not in the position to dictate what to pass or not pass thru a
client's firewall.
But I'm in the position to decide what I personally do. DCOM thru the big
Internet firewall is IMHO a big NO-NO. Between business partners or in a
VPN it's another question.
Rudi
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
