Hi,

All our servers are on their own subnet, however there will be a firewall 
installed between the servers subnet and the LAN users.  Can someone list 
the UDP/TCP required and whether inbound or outbound to and from the LAN?

I can only think inbound from LAN to the server subnet need to be opened?

Thanks

You're making life very difficult for yourself (and not really achieving much 
in the way of security) - Windows authentication, file access, Exchange 
access will require RPC , which is not really firewall friendly. Put a good, 
properly configured firewall on your perimeter, and don't complicate things 
by putting them where they're not really going to do much good.

"Cyborg" wrote:

> Hi,
> 
> All our servers are on their own subnet, however there will be a firewall 
> installed between the servers subnet and the LAN users.  Can someone list 
> the UDP/TCP required and whether inbound or outbound to and from the LAN?
> 
> I can only think inbound from LAN to the server subnet need to be opened?
> 
> Thanks 
>

Well I would like that, but when you have 1000's of users and LAN users are 
some of the biggests threats it's a good idea.  Plus Cisco firewall have IPS 
to stop worms/virues etc, this design was recommended my a huge IT 
consultantcy company.

I've left it at IP any any rule so it's as there is no firewall, but atleast 
the IPS is picking up the "interested" traffic.

I've managed to dall all the other server like the DC's, Fileservers etc, 
just Exchange is a pain.


"RobM" <roke-it@nospam.postalias> wrote in message 
news:585E482A-C147-4BA5-B480-72BEEE174ABD@microsoft.com...
> You're making life very difficult for yourself (and not really achieving 
> much
> in the way of security) - Windows authentication, file access, Exchange
> access will require RPC , which is not really firewall friendly. Put a 
> good,
> properly configured firewall on your perimeter, and don't complicate 
> things
> by putting them where they're not really going to do much good.
>
> "Cyborg" wrote:
>
>> Hi,
>>
>> All our servers are on their own subnet, however there will be a firewall
>> installed between the servers subnet and the LAN users.  Can someone list
>> the UDP/TCP required and whether inbound or outbound to and from the LAN?
>>
>> I can only think inbound from LAN to the server subnet need to be opened?
>>
>> Thanks
>>

- One alternative is to use Outlook Anywhere (RPC over HTTP in Exchange 
2003) and restrict client connections to a single port (HTTPS).
- The following KBA and others listed in its References section have the 
information you're looking for about Outlook/MAPI client connectivity to 
Exchange:
Exchange Server static port mappings
http://support.microsoft.com/kb/270836
-- 
Bharat Suneja
Microsoft Corporation
blog: exchangepedia.com/blog

This posting is provided "AS IS" with no warranties, and confers no
rights. Please do not send email directly to this alias. This alias is for
newsgroup purposes only.
------------------------------------------


"Cyborg"  wrote in message 
news:D15A7EDA-ACD5-4AD5-81E6-B91DD58AB7C8@microsoft.com...
> Well I would like that, but when you have 1000's of users and LAN users 
> are some of the biggests threats it's a good idea.  Plus Cisco firewall 
> have IPS to stop worms/virues etc, this design was recommended my a huge 
> IT consultantcy company.
>
> I've left it at IP any any rule so it's as there is no firewall, but 
> atleast the IPS is picking up the "interested" traffic.
>
> I've managed to dall all the other server like the DC's, Fileservers etc, 
> just Exchange is a pain.
>
>
> "RobM" <roke-it@nospam.postalias> wrote in message 
> news:585E482A-C147-4BA5-B480-72BEEE174ABD@microsoft.com...
>> You're making life very difficult for yourself (and not really achieving 
>> much
>> in the way of security) - Windows authentication, file access, Exchange
>> access will require RPC , which is not really firewall friendly. Put a 
>> good,
>> properly configured firewall on your perimeter, and don't complicate 
>> things
>> by putting them where they're not really going to do much good.
>>
>> "Cyborg" wrote:
>>
>>> Hi,
>>>
>>> All our servers are on their own subnet, however there will be a 
>>> firewall
>>> installed between the servers subnet and the LAN users.  Can someone 
>>> list
>>> the UDP/TCP required and whether inbound or outbound to and from the 
>>> LAN?
>>>
>>> I can only think inbound from LAN to the server subnet need to be 
>>> opened?
>>>
>>> Thanks
>>>
>

Can this be changed for 1000's of PC's easily though?


"Bharat Suneja [MSFT]"  wrote in message 
news:%23TGklQV0IHA.416@TK2MSFTNGP04.phx.gbl...
>- One alternative is to use Outlook Anywhere (RPC over HTTP in Exchange 
>2003) and restrict client connections to a single port (HTTPS).
> - The following KBA and others listed in its References section have the 
> information you're looking for about Outlook/MAPI client connectivity to 
> Exchange:
> Exchange Server static port mappings
> http://support.microsoft.com/kb/270836
> -- 
> Bharat Suneja
> Microsoft Corporation
> blog: exchangepedia.com/blog
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights. Please do not send email directly to this alias. This alias is for
> newsgroup purposes only.
> ------------------------------------------
>
>
> "Cyborg"  wrote in message 
> news:D15A7EDA-ACD5-4AD5-81E6-B91DD58AB7C8@microsoft.com...
>> Well I would like that, but when you have 1000's of users and LAN users 
>> are some of the biggests threats it's a good idea.  Plus Cisco firewall 
>> have IPS to stop worms/virues etc, this design was recommended my a huge 
>> IT consultantcy company.
>>
>> I've left it at IP any any rule so it's as there is no firewall, but 
>> atleast the IPS is picking up the "interested" traffic.
>>
>> I've managed to dall all the other server like the DC's, Fileservers etc, 
>> just Exchange is a pain.
>>
>>
>> "RobM" <roke-it@nospam.postalias> wrote in message 
>> news:585E482A-C147-4BA5-B480-72BEEE174ABD@microsoft.com...
>>> You're making life very difficult for yourself (and not really achieving 
>>> much
>>> in the way of security) - Windows authentication, file access, Exchange
>>> access will require RPC , which is not really firewall friendly. Put a 
>>> good,
>>> properly configured firewall on your perimeter, and don't complicate 
>>> things
>>> by putting them where they're not really going to do much good.
>>>
>>> "Cyborg" wrote:
>>>
>>>> Hi,
>>>>
>>>> All our servers are on their own subnet, however there will be a 
>>>> firewall
>>>> installed between the servers subnet and the LAN users.  Can someone 
>>>> list
>>>> the UDP/TCP required and whether inbound or outbound to and from the 
>>>> LAN?
>>>>
>>>> I can only think inbound from LAN to the server subnet need to be 
>>>> opened?
>>>>
>>>> Thanks
>>>>
>>
>

- Registry entries can be pushed using GPOs. Take a look at:
Using Administrative Template Files with Registry-Based Group Policy
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/gp/admtgp.mspx

- Security does come at a cost... in this case if you want to provide 
clients RPC/MAPI access across a firewall, you can restrict clients and 
server to a narrower range of ports, or alternatively open a lot more ports 
on the firewall.
- Again, it's not a recommended deployment - I would consider RPC over 
HTTP(S)/Outlook Anywhere.
-- 
Bharat Suneja
Microsoft Corporation
blog: exchangepedia.com/blog

This posting is provided "AS IS" with no warranties, and confers no
rights. Please do not send email directly to this alias. This alias is for
newsgroup purposes only.
------------------------------------------


"Cyborg"  wrote in message 
news:313FBA31-E881-42C9-A002-CD74A0317E75@microsoft.com...
> Can this be changed for 1000's of PC's easily though?
>
>
> "Bharat Suneja [MSFT]"  wrote in message 
> news:%23TGklQV0IHA.416@TK2MSFTNGP04.phx.gbl...
>>- One alternative is to use Outlook Anywhere (RPC over HTTP in Exchange 
>>2003) and restrict client connections to a single port (HTTPS).
>> - The following KBA and others listed in its References section have the 
>> information you're looking for about Outlook/MAPI client connectivity to 
>> Exchange:
>> Exchange Server static port mappings
>> http://support.microsoft.com/kb/270836
>> -- 
>> Bharat Suneja
>> Microsoft Corporation
>> blog: exchangepedia.com/blog
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights. Please do not send email directly to this alias. This alias is 
>> for
>> newsgroup purposes only.
>> ------------------------------------------
>>
>>
>> "Cyborg"  wrote in message 
>> news:D15A7EDA-ACD5-4AD5-81E6-B91DD58AB7C8@microsoft.com...
>>> Well I would like that, but when you have 1000's of users and LAN users 
>>> are some of the biggests threats it's a good idea.  Plus Cisco firewall 
>>> have IPS to stop worms/virues etc, this design was recommended my a huge 
>>> IT consultantcy company.
>>>
>>> I've left it at IP any any rule so it's as there is no firewall, but 
>>> atleast the IPS is picking up the "interested" traffic.
>>>
>>> I've managed to dall all the other server like the DC's, Fileservers 
>>> etc, just Exchange is a pain.
>>>
>>>
>>> "RobM" <roke-it@nospam.postalias> wrote in message 
>>> news:585E482A-C147-4BA5-B480-72BEEE174ABD@microsoft.com...
>>>> You're making life very difficult for yourself (and not really 
>>>> achieving much
>>>> in the way of security) - Windows authentication, file access, Exchange
>>>> access will require RPC , which is not really firewall friendly. Put a 
>>>> good,
>>>> properly configured firewall on your perimeter, and don't complicate 
>>>> things
>>>> by putting them where they're not really going to do much good.
>>>>
>>>> "Cyborg" wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> All our servers are on their own subnet, however there will be a 
>>>>> firewall
>>>>> installed between the servers subnet and the LAN users.  Can someone 
>>>>> list
>>>>> the UDP/TCP required and whether inbound or outbound to and from the 
>>>>> LAN?
>>>>>
>>>>> I can only think inbound from LAN to the server subnet need to be 
>>>>> opened?
>>>>>
>>>>> Thanks
>>>>>
>>>
>>
>

I take there are too many ports to open if we use the full client method?


"Bharat Suneja [MSFT]"  wrote in message 
news:OIbQD4V0IHA.3884@TK2MSFTNGP05.phx.gbl...
>- Registry entries can be pushed using GPOs. Take a look at:
> Using Administrative Template Files with Registry-Based Group Policy
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/gp/admtgp.mspx
>
> - Security does come at a cost... in this case if you want to provide 
> clients RPC/MAPI access across a firewall, you can restrict clients and 
> server to a narrower range of ports, or alternatively open a lot more 
> ports on the firewall.
> - Again, it's not a recommended deployment - I would consider RPC over 
> HTTP(S)/Outlook Anywhere.
> -- 
> Bharat Suneja
> Microsoft Corporation
> blog: exchangepedia.com/blog
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights. Please do not send email directly to this alias. This alias is for
> newsgroup purposes only.
> ------------------------------------------
>
>
> "Cyborg"  wrote in message 
> news:313FBA31-E881-42C9-A002-CD74A0317E75@microsoft.com...
>> Can this be changed for 1000's of PC's easily though?
>>
>>
>> "Bharat Suneja [MSFT]"  wrote in message 
>> news:%23TGklQV0IHA.416@TK2MSFTNGP04.phx.gbl...
>>>- One alternative is to use Outlook Anywhere (RPC over HTTP in Exchange 
>>>2003) and restrict client connections to a single port (HTTPS).
>>> - The following KBA and others listed in its References section have the 
>>> information you're looking for about Outlook/MAPI client connectivity to 
>>> Exchange:
>>> Exchange Server static port mappings
>>> http://support.microsoft.com/kb/270836
>>> -- 
>>> Bharat Suneja
>>> Microsoft Corporation
>>> blog: exchangepedia.com/blog
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights. Please do not send email directly to this alias. This alias is 
>>> for
>>> newsgroup purposes only.
>>> ------------------------------------------
>>>
>>>
>>> "Cyborg"  wrote in message 
>>> news:D15A7EDA-ACD5-4AD5-81E6-B91DD58AB7C8@microsoft.com...
>>>> Well I would like that, but when you have 1000's of users and LAN users 
>>>> are some of the biggests threats it's a good idea.  Plus Cisco firewall 
>>>> have IPS to stop worms/virues etc, this design was recommended my a 
>>>> huge IT consultantcy company.
>>>>
>>>> I've left it at IP any any rule so it's as there is no firewall, but 
>>>> atleast the IPS is picking up the "interested" traffic.
>>>>
>>>> I've managed to dall all the other server like the DC's, Fileservers 
>>>> etc, just Exchange is a pain.
>>>>
>>>>
>>>> "RobM" <roke-it@nospam.postalias> wrote in message 
>>>> news:585E482A-C147-4BA5-B480-72BEEE174ABD@microsoft.com...
>>>>> You're making life very difficult for yourself (and not really 
>>>>> achieving much
>>>>> in the way of security) - Windows authentication, file access, 
>>>>> Exchange
>>>>> access will require RPC , which is not really firewall friendly. Put a 
>>>>> good,
>>>>> properly configured firewall on your perimeter, and don't complicate 
>>>>> things
>>>>> by putting them where they're not really going to do much good.
>>>>>
>>>>> "Cyborg" wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> All our servers are on their own subnet, however there will be a 
>>>>>> firewall
>>>>>> installed between the servers subnet and the LAN users.  Can someone 
>>>>>> list
>>>>>> the UDP/TCP required and whether inbound or outbound to and from the 
>>>>>> LAN?
>>>>>>
>>>>>> I can only think inbound from LAN to the server subnet need to be 
>>>>>> opened?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>
>>>
>>
>

Cyborg wrote:
> I take there are too many ports to open if we use the full client method?


Correct! Might as well leave the firewall wide open!

That's what I have done just for that server only, all other servers are 
locked down.


"artie lange"  wrote in message 
news:cNydnT0wo9Udq__VnZ2dnUVZ_jKdnZ2d@supernews.com...
> Cyborg wrote:
>> I take there are too many ports to open if we use the full client method?
>
>
> Correct! Might as well leave the firewall wide open!