Hi Vinod,
You will need to open (i think from memory) ports 135 thru 139 between your
PDC and BDC as NT synchronisation occurs using NetBIOS over TCP/IP.
You should also enable Long logging between the 2 machines when you
implement the rule.
Open User Manager and change the description of your account to say XYZ123
Run Windows NT Server Manager, click on the PDC and do a
/COMPUTER/SYNCHRONISE ENTIRE DOMAIN
Monitor the Windows NT Server log on the Exchange server and confirm a FULL
SYNCHRONISATION occurred.
Also check the Eventlogs on the PDC.
Open User Manager on the Exchange server and confirm the Account Desc.
replicated.
Change the Desc. back to what it was, do a SYNC. ENTIRE DOMAIN again and
confirm the change was propagated back in to your LAN.
If there are any failures check the FW-1 log for the dropped ports and
enable only the ones needed.
Once all is OK you can reduce your logging to Short or None depending on
your preference.
BTW: Leaving ANY-ANY open between your two machines is not a very good
idea.
There are hacking utils around like NETCAP that someone can use to
compromise your OWA server (to eventually) get Command line access to your
box. As this machine is a domain controller, the hacker can then use
something to capture your SAM. and run it through something like l0phtcrack
to extract all of your users passwords and then attempt to connect to the
domain controller as an authenticated user and then "proxy" through your
internal DC to get to other machines... etc...
---- Not meaning to scare you or anything ---
I hope this helps,
Rgds,
Solomon Lukie
"Vinod P. Thomas" <[EMAIL PROTECTED]>@lists.us.checkpoint.com on
07/10/2000 02:21:56 PM
Sent by: [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
Subject: Re: [FW1] Firewall or NT
Hi,
Thanks a ton for the feedback.
Andrew.....as per your suggestion I tried giving unrestricted access
between the PDC and the mail server, but for whatever reason, it still
didn't work. So we undid the entire policy and gave any-any access between
the two subnets, DMZ and private. Being critical, we could'nt take the
chance of restricting access again and possibly jeopardising functionality.
So, we've left the any-any policy b/w DMZ and private; I've got sync'ing
happening fine but this leaves my network wide open. Added info....my
firewall is the sole member of a workgroup; it's not part of my NT domain.
This is my requirement:
Mail(Exchange 5.5) and application server sitting in the DMZ. Users from
the pvt. n/w need total mail access, thru client s/w (Microsoft Outlook,
Outlook express and Netscape messenger) or Outlook web access. Also, they r
to be given web access and probably chat. External users should be able to
access the mail server
How do I limit user access while keeping all the necessary openings for
proper NT functionality??
Also, I'm using Trend Micro Virus wall installed on the firewall machine. I
know that commn. b/w the a/v and the firewall happens using CVP, but what
does my policy need to look like?
Awaiting your suggestions.
Thanks and regards.
Vinod.
"Greenawalt, Andrew" wrote: Your going to have to enable RPC, and some
netbios stuff between the two.� The easiest way to handle this is to give
the PDC any-any access to the exchange box.� The key factor is that the NT
Domain does not use the protocols that you have listed for its synching.
How are you getting client traffic to the Exchange box, IMAP, POP3 or
native exchange?� These may be working on the basis of a liberal outbound
policy?� Is your firewall on the domain?� If it is, it shouldn't be-it's a
potential security risk.� As a test, allow all traffic between these two
nodes, and work backwards.
Good luck, and remember the firewall is your friend,
Andy
Andrew Greenawalt
Cybergnostic.net
CTO
"Vinod P. Thomas" wrote: Hi,
This is an overview of the network we're working on:
Network��������������������������� IP Addresses����������������������� NAT
on FW
Private������������������������������� pvt. 172.16.X.x /21
hidden behind 1 public IP
DMZ��������������������������������� pvt. 172.16.Y.x / 21���������� static
to a public IP
The whole network is in the same NT domain.The mail server is in the DMZ,
running Exchange 5.5..SP3 onWinNT4.0. We just moved the mail server from
the private network to the DMZ.
The problem is, we don't find database sync'ing happening between the mail
server(NT BDC) and the PDC which is in the private network. Otherwise, the
mail server is functioning normally wrt sending and receiving mails. This
sync'ing is essential, else, a user changing his password will have
authentication problems the next time he tries logging onto the mail server
as Exchange uses NT for authentication.
As far as FW policy goes, between the pvt n/w and the DMZ, the following
services have been enabled:
http, https, smtp, pop3.
Does this problem have anything to do with the FW or is this an NT-related
problem? Whichever, could you help me out here?
Thanks and regards.
Vinod.
--
Vinod P Thomas
Network Support Engineer
Euclid Network Solutions, Inc.
1/36, Hanumanthappa Layout
Ulsoor Road, Bangalore-560042
Tel�������� : 91-80-5580141/2/3/4
Fax������� : 91-80-5580145
Website : www.euclidnet.com
�--
Vinod P Thomas
Network Support Engineer
Euclid Network Solutions, Inc.
1/36, Hanumanthappa Layout
Ulsoor Road, Bangalore-560042
Tel�������� : 91-80-5580141/2/3/4
Fax������� : 91-80-5580145
Website : www.euclidnet.com
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This email, together with any attachments, is for the exclusive and confidential
use of the addressee(s). Any other distribution, use or reproduction
without the sender's prior consent is unauthorised and strictly
prohibited. If you have received this message in error, please notify the
sender by email immediately and delete the message from your computer
without making any copies.
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
