Hi Solomon,
Thanks for the very descriptive feedback.
One question, when you say open up ports 135-139, will it suffice to open it up b/w
PDC and BDC only or do I also need to open it up to the Local network also? What
about local network to DMZ network as such?? With the any--->any rule, we got
sync'ing going by implementing WINS.
My apprehension about the current any--->any policy is why I need this capped
fast....thanks for the warning anyway.
Regards.
Vinod.
[EMAIL PROTECTED] wrote:
> Hi Vinod,
>
> You will need to open (i think from memory) ports 135 thru 139 between your
> PDC and BDC as NT synchronisation occurs using NetBIOS over TCP/IP.
> You should also enable Long logging between the 2 machines when you
> implement the rule.
> Open User Manager and change the description of your account to say XYZ123
> Run Windows NT Server Manager, click on the PDC and do a
> /COMPUTER/SYNCHRONISE ENTIRE DOMAIN
> Monitor the Windows NT Server log on the Exchange server and confirm a FULL
> SYNCHRONISATION occurred.
> Also check the Eventlogs on the PDC.
> Open User Manager on the Exchange server and confirm the Account Desc.
> replicated.
> Change the Desc. back to what it was, do a SYNC. ENTIRE DOMAIN again and
> confirm the change was propagated back in to your LAN.
> If there are any failures check the FW-1 log for the dropped ports and
> enable only the ones needed.
> Once all is OK you can reduce your logging to Short or None depending on
> your preference.
>
> BTW: Leaving ANY-ANY open between your two machines is not a very good
> idea.
> There are hacking utils around like NETCAP that someone can use to
> compromise your OWA server (to eventually) get Command line access to your
> box. As this machine is a domain controller, the hacker can then use
> something to capture your SAM. and run it through something like l0phtcrack
> to extract all of your users passwords and then attempt to connect to the
> domain controller as an authenticated user and then "proxy" through your
> internal DC to get to other machines... etc...
> ---- Not meaning to scare you or anything ---
>
> I hope this helps,
> Rgds,
> Solomon Lukie
>
> "Vinod P. Thomas" <[EMAIL PROTECTED]>@lists.us.checkpoint.com on
> 07/10/2000 02:21:56 PM
>
> Sent by: [EMAIL PROTECTED]
>
> To: [EMAIL PROTECTED], [EMAIL PROTECTED],
> [EMAIL PROTECTED]
> cc: [EMAIL PROTECTED]
> Subject: Re: [FW1] Firewall or NT
>
> Hi,
> Thanks a ton for the feedback.
>
> Andrew.....as per your suggestion I tried giving unrestricted access
> between the PDC and the mail server, but for whatever reason, it still
> didn't work. So we undid the entire policy and gave any-any access between
> the two subnets, DMZ and private. Being critical, we could'nt take the
> chance of restricting access again and possibly jeopardising functionality.
> So, we've left the any-any policy b/w DMZ and private; I've got sync'ing
> happening fine but this leaves my network wide open. Added info....my
> firewall is the sole member of a workgroup; it's not part of my NT domain.
>
> This is my requirement:
> Mail(Exchange 5.5) and application server sitting in the DMZ. Users from
> the pvt. n/w need total mail access, thru client s/w (Microsoft Outlook,
> Outlook express and Netscape messenger) or Outlook web access. Also, they r
> to be given web access and probably chat. External users should be able to
> access the mail server
> How do I limit user access while keeping all the necessary openings for
> proper NT functionality??
>
> Also, I'm using Trend Micro Virus wall installed on the firewall machine. I
> know that commn. b/w the a/v and the firewall happens using CVP, but what
> does my policy need to look like?
>
> Awaiting your suggestions.
> Thanks and regards.
> Vinod.
>
> "Greenawalt, Andrew" wrote: Your going to have to enable RPC, and some
> netbios stuff between the two. The easiest way to handle this is to give
> the PDC any-any access to the exchange box. The key factor is that the NT
> Domain does not use the protocols that you have listed for its synching.
> How are you getting client traffic to the Exchange box, IMAP, POP3 or
> native exchange? These may be working on the basis of a liberal outbound
> policy? Is your firewall on the domain? If it is, it shouldn't be-it's a
> potential security risk. As a test, allow all traffic between these two
> nodes, and work backwards.
>
> Good luck, and remember the firewall is your friend,
>
> Andy
>
> Andrew Greenawalt
> Cybergnostic.net
> CTO
>
> "Vinod P. Thomas" wrote: Hi,
>
> This is an overview of the network we're working on:
>
> Network IP Addresses NAT
> on FW
> Private pvt. 172.16.X.x /21
> hidden behind 1 public IP
> DMZ pvt. 172.16.Y.x / 21 static
> to a public IP
>
> The whole network is in the same NT domain.The mail server is in the DMZ,
> running Exchange 5.5..SP3 onWinNT4.0. We just moved the mail server from
> the private network to the DMZ.
>
> The problem is, we don't find database sync'ing happening between the mail
> server(NT BDC) and the PDC which is in the private network. Otherwise, the
> mail server is functioning normally wrt sending and receiving mails. This
> sync'ing is essential, else, a user changing his password will have
> authentication problems the next time he tries logging onto the mail server
> as Exchange uses NT for authentication.
>
> As far as FW policy goes, between the pvt n/w and the DMZ, the following
> services have been enabled:
> http, https, smtp, pop3.
>
> Does this problem have anything to do with the FW or is this an NT-related
> problem? Whichever, could you help me out here?
>
> Thanks and regards.
> Vinod.
> --
> Vinod P Thomas
> Network Support Engineer
> Euclid Network Solutions, Inc.
> 1/36, Hanumanthappa Layout
> Ulsoor Road, Bangalore-560042
>
> Tel : 91-80-5580141/2/3/4
> Fax : 91-80-5580145
> Website : www.euclidnet.com
> --
> Vinod P Thomas
> Network Support Engineer
> Euclid Network Solutions, Inc.
> 1/36, Hanumanthappa Layout
> Ulsoor Road, Bangalore-560042
>
> Tel : 91-80-5580141/2/3/4
> Fax : 91-80-5580145
> Website : www.euclidnet.com
>
> -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> This email, together with any attachments, is for the exclusive and confidential
> use of the addressee(s). Any other distribution, use or reproduction
> without the sender's prior consent is unauthorised and strictly
> prohibited. If you have received this message in error, please notify the
> sender by email immediately and delete the message from your computer
> without making any copies.
> -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
--
Vinod P Thomas
Network Support Engineer
Euclid Network Solutions, Inc.
1/36, Hanumanthappa Layout
Ulsoor Road, Bangalore-560042
Tel : 91-80-5580141/2/3/4
Fax : 91-80-5580145
Website : www.euclidnet.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
