Mark Olbert wrote: > My question is this: are there any significant downsides (particularly > security downsides) to doing 1:1 NAT as opposed to Proxy ARP?
Hi Mark, I can't think of any difference, since either way the traffic is hitting the Exchange machine. How it gets there doesn't matter. > I'm ignoring DNAT, perhaps inappropriately, because I think it would be hard > to get RPC over HTTP to work using DNAT. I am using DNAT for https and it Just Works. But I only have Windows Mobile and Symbian clients on the outside doing Active Sync, so take my words with a grain of salt. In other words, I have no Outlook clients on the outside. The http port is handled by apache2 on the firewall doing name based forwarding without any troubles at all. Side note: I don't like to have the Exchange box directly exposed at all (https being an exception, but that can be fixed too), so I use proxies between Exchange and the internet: apache for http, exim for smtp and perdition for imap and pop. Another benefit of the apache proxy is that anyone scanning and trying out exploits but doesn't use any of your host names is caught by apache. Such traffic doesn't reach the Exchange box. Exim is doing LDAP lookups against the AD to verify recipients before accepting mail. > - Mark Best regards, /Martin Leben ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
