RE: Putting MS servers behind firewalls

["Mark Gumennik" <mgumennik () mitre org>]

Dilan,
Consider re-thinking your architecture.
Opening MS ports on a fw is practically the same as not having a fw
If you're paranoid about users pinging your servers and such put a router
ACL with restriction of certain ports
Keep in mind that this router (or a fw in your case) becomes a backbone
(bottleneck) of your LAN
Best of all just put Exchange bridgehead behind a fw (DMZ), open port 25 to
it and put all AD servers on a regular LAN
Mark G 

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Dilan
Walgampaya
Sent: Monday, June 07, 2004 2:24 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Putting MS servers behind firewalls

Hi Wizards,

        I ran in to a problem putting Microsoft Servers behind a firewall.
The 
users has to go through the FW to access the servers. The servers I 
wanted to put are on an AD domain. There were AD server, File server and 
an Exchange server. These servers need a large no. of services opened 
for proper operation. The worse is that exchange server work in a 
dynamic port setup where the server opens a random port for each 
different client. MS site has some registry edits that is supposed to 
correct this dynamic port setup issue. But when I tried these they did 
not work as per the document describes.

        Has anybody done this kind of a setup (with other than an ISA
server). 
I am interested in doing this with Netscreen/Pix and Linux IPTables. Any 
help is appreciated.



Thanks in advance

Dilan
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards