Thanks Scott for your input. In my case, I can't use POP3 nor IMAP. My users need full exchange service (i.e. Outlook 's calaender, address box, notes, etc..). Good is the "external" network is not truely external. This firewall is deployed inside our internal network for remote VPN connected users.
-raymond At 08:37 AM 10/12/01 -0400, you wrote: >>From a Microsoft perspective, this isn't the recommended solution. This >sounds like you are trying to gain access to the Exchange server via RPC, >(RPC over IP) through the firewall. Did you also know you can also send and >receive messages through the POP3 and IMAP protocols as well as the native >SMTP? This means as long as you have the Exchange server set up to use POP3 >as an additional protocol, you can then open up your port 110 through the >firewall and users outside of the firewall can connect to the server (much >the same as an ISP does). I forget how to set up all of the details but I >do know it is supported, documented, and works. You can search the M$ site >for POP3 and you will find the technet article that will guide you. > >By opening up RPC, you will be further exposing yourself to vulnerabilities >that could be unforeseen. What I mean is you should really investigate >what damage a hacker could do once he scans you and find RPC open to the >Exchange server and what vulnerabilities could be exploited by using common >hacking tools. > > > >Scott Moore, MCSE 4.0/2000, MCT, MCP+I, CCSA, CCA > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[mailto:[EMAIL PROTECTED]]On Behalf Of >Raymond N >Sent: Thursday, October 11, 2001 8:35 PM >To: [EMAIL PROTECTED] >Subject: Re: [FW-1] How to allow Exchange access > > >Would you mind to go into a bit detailed about what is "DCE-RPC", and how >do I use it to allow the exchange traffic? > >Thanks. > >At 07:39 AM 10/11/01 +0100, you wrote: >>Sorry, meant "DCE-RPC"!!!! >> >>M >> >> >>Hi, >> >>I have done this using the MS-RPC along with the MSExchange. Have a lot >>more items in the rule, so you may also have to allow part of the "NBT" set >>through. >> >>Not sure what version of server we are running, but all works fine. >> >>Hope this helps, >> >>Regards, >> >>Miles. >> >>-----Original Message----- >>From: Raymond N [mailto:[EMAIL PROTECTED]] >>Sent: 11 October 2001 01:47 >>To: [EMAIL PROTECTED] >>Subject: [FW-1] How to allow Exchange access >> >> >>Hi there, >> >>I am using Firewall-1 4.1 SP4. I want NT client workstation in network-A >>be able to access the MS Exchange server in network-B, where the CP >>firewall is in between. The Exchange server is v5.5. No network address >>translation. >> >>I know that there is pre-defined services "MSExchange", "MSExchange-v5.5", >>"MSExchange-RemoteAdmin", "MSExchange-RemoteAdmin-v5.5" and >>"MSExchange-SiteConnector". What is needed in my situation? And how the >>rule(s) should look like? >> >>I try this: >>source = network-a >>destination = network-b >>service = all MSExchange service defined above >>action = accept >> >>It doesn't work. From the log, I see that my client is trying to talk to >>the server on tcp port 2400, and is being dropped. I suppose using those >>pre-defined resources can eliminate the need to open all the >1023 TCP >>ports, isn't it? >> >>Please help. >> >>-raymond ([EMAIL PROTECTED]) >> >> >>=========================================================================== >= >>==== >> To unsubscribe from this mailing list, please see the instructions at >> http://www.checkpoint.com/services/mailing.html >>=========================================================================== >= >>==== >> >> > >============================================================================ >==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >============================================================================ >==== > >=========================================================================== ===== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >=========================================================================== ===== > > =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
