Thanks a ton for the feedback.
Andrew.....as per your suggestion I tried giving unrestricted access between the PDC and the mail server, but for whatever reason, it still didn't work. So we undid the entire policy and gave any-any access between the two subnets, DMZ and private. Being critical, we could'nt take the chance of restricting access again and possibly jeopardising functionality. So, we've left the any-any policy b/w DMZ and private; I've got sync'ing happening fine but this leaves my network wide open. Added info....my firewall is the sole member of a workgroup; it's not part of my NT domain.
This is my requirement:
Mail(Exchange 5.5) and application server sitting in the DMZ. Users
from the pvt. n/w need total mail access, thru client s/w (Microsoft Outlook,
Outlook express and Netscape messenger) or Outlook web access. Also, they
r to be given web access and probably chat. External users should be able
to access the mail server
How do I limit user access while keeping all the necessary openings
for proper NT functionality??
Also, I'm using Trend Micro Virus wall installed on the firewall machine. I know that commn. b/w the a/v and the firewall happens using CVP, but what does my policy need to look like?
Awaiting your suggestions.
Thanks and regards.
Vinod.
"Greenawalt, Andrew" wrote:
Your going to have to enable RPC, and some netbios stuff between the two. The easiest way to handle this is to give the PDC any-any access to the exchange box. The key factor is that the NT Domain does not use the protocols that you have listed for its synching. How are you getting client traffic to the Exchange box, IMAP, POP3 or native exchange? These may be working on the basis of a liberal outbound policy? Is your firewall on the domain? If it is, it shouldn't be-it's a potential security risk. As a test, allow all traffic between these two nodes, and work backwards.--Good luck, and remember the firewall is your friend,
Andy
Andrew Greenawalt
Cybergnostic.net
CTO
"Vinod P. Thomas" wrote:
Hi,This is an overview of the network we're working on:
Network IP Addresses NAT on FW
Private pvt. 172.16.X.x /21 hidden behind 1 public IP
DMZ pvt. 172.16.Y.x / 21 static to a public IPThe whole network is in the same NT domain.The mail server is in the DMZ, running Exchange 5.5..SP3 onWinNT4.0. We just moved the mail server from the private network to the DMZ.
The problem is, we don't find database sync'ing happening between the mail server(NT BDC) and the PDC which is in the private network. Otherwise, the mail server is functioning normally wrt sending and receiving mails. This sync'ing is essential, else, a user changing his password will have authentication problems the next time he tries logging onto the mail server as Exchange uses NT for authentication.
As far as FW policy goes, between the pvt n/w and the DMZ, the following services have been enabled:
http, https, smtp, pop3.Does this problem have anything to do with the FW or is this an NT-related problem? Whichever, could you help me out here?
Thanks and regards.
Vinod.
--
Vinod P Thomas
Network Support Engineer
Euclid Network Solutions, Inc.
1/36, Hanumanthappa Layout
Ulsoor Road, Bangalore-560042Tel : 91-80-5580141/2/3/4
Fax : 91-80-5580145
Website : www.euclidnet.com
Vinod P Thomas
Network Support Engineer
Euclid Network Solutions, Inc.
1/36, Hanumanthappa Layout
Ulsoor Road, Bangalore-560042
Tel : 91-80-5580141/2/3/4
Fax : 91-80-5580145
Website : www.euclidnet.com
