[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Allow nbsession via firewall
I assume you are talking about providing OWA to the world ? By order of preference, look at the following - If you want Exchange access from anywhere for remote users ========================================================== Look at SecureClient/SecuRemote and VPN to the remote users - they still use Outlook and everything is secure ( nearly said 100% secure :-< ) This obviously requires that the roaming user has their laptop with them. Place the exchange server on the internal network - the VPN takes care of the encryption CP will provide a free key for SecuRemote but not for SecureClient (which is more secure) If you want Internet Cafe access ================================ Look at Outlook Web Access - but buy a BIG box with lots of RAM to host it and be aware of the security issues of using HTTP as the transport (i.e. unencrypted comms) - You can use SSL to improve security on your OWA box, then train all users about clearing the cache, logging out to secure the connection etc. Place the real exchange server on the internal LAN and the OWA server on a separate DMZ Microsoft Technet article Q259240 details how to "train" OWA to talk nicely via a firewall and this states that 3 ports must be open, 135 plus two user chosen ports Allow Exchange traffic between the OWA machine and the internal host using a couple of point to point firewall rules eg 1. Define a service say "OWA_To_Exch" that contains your choice of two ports (say 7000 and 7001) plus the static 135 "locator" port - this is not NBT 2. Define an "internal networks" group - say "Internal_Nets", place all internal networks in it - we'll use the inverse of this to define "the internet" Add rules on the firewall from to type action not(Internal_Nets) OWA_Box HTTP+HTTPS Accept OWA_Box Exchange_Box OWA_To_Exch Accept Also look at securing the OWA system using Lance's details on hardening NT http://www.enteract.com/~lspitz/tips.html This limits the holes for the service to be as small as possible, you can't talk to the Internal server directly and you can only talk to the OWA box via HTTP or HTTPS - which limits the risk What makes you think you need port 139 open ? Regards Tim -----Original Message----- From: Arie Gilboa [mailto:[email protected]] Sent: 17 January 2001 14:35 To: Chilton Tim; [email protected] Subject: Re: [FW1] Allow nbsession via firewall Tim, Thanks!... I agree with your answers,... but what can I do if ExChange 2000 require it, in it Front-end & Back-end Topology, in order to allow access to ExChange from the Internet ?. Thanks, Arie Gilboa ----- Original Message ----- Subject: RE: [FW1] Allow nbsession via firewall > Arie, > > You really don't want to enable NBT from your DMZ inbound or a compromised > host on your DMZ will be able to connect to internal hosts which is a major > security host > > Try to keep all connections one way, eg > > Internal network -> DMZ Network > DMZ Network -> Internet > > Obviously you will need exceptions - eg inbound e-mail, in which case ensure > that you make the rule point to point (host A to host B only) and service > specific - ie only SMTP. > > What are you trying to fix with NBT inbound ? > - Can you grab the files from the DMZ using an internal host instead > ? > > Regards > > Tim > -----Original Message----- > From: Arie Gilboa [mailto:[email protected]] > Sent: 07 January 2001 09:59 > To: [email protected] > Subject: [FW1] Allow nbsession via firewall > > > > Hello !, > > I would like to ask how risky is to allow nbsession (139) access from DMZ to > Internal network ?. > Is there any way to avoid it ? > > Thanks, > Arie Gilboa > > > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > ************************************************************************ The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, you must not read, use or disseminate the information contained in the email. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of The Capital Markets Company. http://www.capco.com *********************************************************************** ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|