On the exchange server, in regedit under the HKEY_LOCAL_MACHINE subtree, go
to
System\CurrentControlSet\Services\MSExchangeDS\Parameters
Add a REG_DWORD
TCP/IP port
With the data 000004C9 (1225 in decimal).
Again in HKEY_LOCAL_MACHINE, at
System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
Add a REG_DWORD
TCP/IP port
With the data 000004CA (1226 in decimal).
Otherwise, Exchange dynamically allocates ports, which would mean you'd have
to make your firewall more look like a sieve. You can use whatever port
numbers you like, but make them above 1100. This comes from a MS KB article,
but I've lost the number for it, I'm afraid.
Your ruleset should then look something like:
#http
from interface red port any to host OWA tcp port 80 accept log;
from host OWA tcp port 80 to interface red tcp port any accept log;
#https
from interface red port any to host OWA tcp port 443 accept log;
from host OWA tcp port 443 to interface red tcp port any accept log;
#rpc portmapper
from host OWA tcp port any to host EXCHANGE port 135 accept log;
from host EXCHANGE tcp port 135 to host OWA tcp port any accept log;
#exchange directory service
from host OWA tcp port any to host EXCHANGE tcp port 1225 accept log;
from host EXCHANGE tcp port 1225 to host OWA tcp port any accept log;
#exchange information store
from host OWA tcp port any to host EXCHANGE tcp port 1226 accept log;
from host EXCHANGE tcp port 1226 to host OWA tcp port any accept log;
#eof
Mine is altavista 98, but you get the idea. The webserver should not be able
to do file/print sharing with the machines inside, but it should allow
exchange users to authenticate and get their mail. Make sure your users have
the Log on Locally right, and do use https. The OWA box should be a member
server, not a domain controller, so there is no domain SAM stored on it...
thanks,
Peter
-----Original Message-----
From: Lee, Dana-Renee [mailto:[EMAIL PROTECTED]]
Sent: 07 February 2000 21:34
To: 'Paul Chouffet'; '[EMAIL PROTECTED]'
Subject: RE: PIX 520 DMZ Policy Question
Paul, if you allow it to login to the inside domain then you have opened a
hole for an intruder. Now all he has to do is break into the iis server and
he is in. Do you really want to do that?
-----Original Message-----
From: Paul Chouffet [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 07, 2000 11:08 AM
To: '[EMAIL PROTECTED]'
Subject: PIX 520 DMZ Policy Question
I have a PIX 520 with a DMZ. On this DMZ I have a IIS server running
Outlook Web Access. This IIS server is a member of the domain on the inside
interface. Currently, this IIS server cannot logon to the domain because of
the firewall. What do I need to open up on the DMZ policyt so that the
server can logon to the domain?
Thanks for any help.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
