Mikael said:
>In short: PPTP is not an alternative here.
Since he was asking about opening a whole SLEW of ports through the firewall to
accomodate communicating through the firewall:
MailBR (Mail Brazil) said:
>But then came firewalls and firewalls divided "outlook-web" from
>"pdc and exchange", and they were never more able to talk without a
>big hole between our external and internal nets.
>
>The first alternative was reverse-proxying the connection to our
>internal net, where outlook-web, pdc and exchange all live.
>If someone exploits outlook-web, he gets the internal net, thats
>exactly what we're trying to avoid.
>
>The sec alternative was DMZing the outlook-web. But still we got the
>[135,137,138,139,1024-65535] tcp/udp hole pointing to pdc and
>exchange. So if outlook-web is taked, pdc and exchange are exposed.
>Looks better, but does it look secure ?
>
>I've been looking IMP from horde.org [free webmail] and it looks good
>'cos you only need IMAP opened from dmz to internal net, anybody has
>been using it successfully ?
I figured opening a SINGLE (pair) through the firewall (**between two specific
servers**) might be somewhat more "controllable". It seemed to me a simpler solution
than restricting the ports used in the OWA/Exchange communication.
I agree, PPTP is a poor choice for secure communications; IMO, it's a convenient
choice for VPN where security is not the issue.
~Gary
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
