-----Original Message-----
From: Rudolf Schreiner [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 01, 1999 7:43 AM
To: Chris Brenton
Cc: [EMAIL PROTECTED]
Subject: Re: DCOM on Gauntlet
On Mon, 31 May 1999, Chris Brenton wrote:
> > IMHO this doesn't work because DCOM embeds the IP addresses of the
> > endpoints in the content.
>
> Good point. I assumed that since MS Proxy was given as a possible
> solution, that legal rather than private addresses where being used.
What _exactly_ did you do?
Did you just open the ports on a packet filter? This obviously works.
Or did you use somethink like plug-gw, a TCP level proxy? That's what I
understood as "plug". This should not work without evil hacks like
"reNATing" the IP addresses.
Um, why? If they use legal IP addresses who cares whether the IP address is
in the header, the packet, or delivered via singing telegram?
> Actually, it does solve the call back problem. The client will only use
> ports specified by the server. If you have limited the port range on the
> server, the client will only use these ports. Thus no client hacks are
> required.
Again, if you're just filtering it should work. But the normal plug-gw is
not bidirectional.
It isn't? How do I get TACACS+ from a DMZ router in through a firewall with
it then? (Not that I'm advocating the architecture, but that's the best
solution. Bleh. )
But I'm in the position to decide what I personally do. DCOM thru the big
Internet firewall is IMHO a big NO-NO. Between business partners or in a
VPN it's another question.
Never in question. 8)
Rudi
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
