|
|
|
date: Thu, 9 Feb 2006 11:09:27 -0800,
group: microsoft.public.exchange2000.connectivity
back
Re: exchange being switched to static ports due to firewall
Well, the cisco pix will not work with dynamic ports, so my users cannot send
email, only recieve email. And based on the info I've gotten off of MSKB and
Cisco, I have to tell exchange to use static ports, and I have to tell my
client stations what ports to use as well. Not sure how this is insecure?
Should I go about this in an entirely different direction? The pix is so
that my mail server is not completely unprotected.
"Nick Gillott [MVP]" wrote:
> Why are you doing it that way? Seems a very long way round and rather
> insecure. A little more detail please.
>
> "Jason Goetting" <Jason Goetting@discussions.microsoft.com> wrote in message
> news:7FE0AC2F-410A-47EA-9A36-93F921B7A2DC@microsoft.com...
> > Just wondering if anyone can give me a "best" practices solution to my
> > situation.
> >
> > I'm sticking a cisco 506e pix in front of my mail server which is stand
> > alone, it's not connected to our internal network in any way. Everyone
> > connects via the internet.
> >
> > For everything to work properly I have to use static ports. I have to
> > configure this on the mail server, open the ports on the firewall and I
> > also
> > have to make registry entries on the client machines so they connect
> > properly. I have multiple sites to go to, and we are not on a wan so I
> > can
> > not do this remotely. So I want to figure out the best and most efficient
> > way to make the changes to my client stations.
> >
> > Basically for the remote sites, they will have to use OWA while this is
> > being done.
> >
> > Any ideas would be of great help!
>
>
>
date: Thu, 9 Feb 2006 14:36:08 -0800
author: Jason Goetting
Re: exchange being switched to static ports due to firewall
Jason,
Right, this is from memory as I ditched Cisco Pix years ago and I'm
generalising based on your setup. But this is the way I'd do it (and did do
it) for security.
Old fashioned but secure:
LAN: 192.168.0.x/24
Cisco Pix: 192.168.0.1
Exchange box: 192.168.0.2, default gateway is the Pix.
On the Pix:
Name <mail outside> MailOutside
Name <mail on LAN> MailInside
access-list acl_outside permit tcp any host <ip of remote site> host any
access-list acl_outside permit tcp any host MailOutside eq www
access-list acl_outside permit tcp any host MailOutside eq 443
access-list acl_outside permit tcp any host MailOutside eq SMTP
static (inside,outside) MailOutside MailInside netmask 255.255.255.255 5000
1000
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 <external gateway> 1
I THINK that's about it.
New fangled:
Skip the access-list line that finishes with any (which I can't recall if it
will work anyway!)
Then you've only got port 80/443 open but you can use RPC over HTTPs for
Outlook 2003 to Exchange 2003 and use cached mode.
Hope that helps.
Nick
"Jason Goetting" wrote in message
news:0D855691-E393-49FB-8348-1C1B7FE285F4@microsoft.com...
> Well, the cisco pix will not work with dynamic ports, so my users cannot
> send
> email, only recieve email. And based on the info I've gotten off of MSKB
> and
> Cisco, I have to tell exchange to use static ports, and I have to tell my
> client stations what ports to use as well. Not sure how this is insecure?
>
> Should I go about this in an entirely different direction? The pix is so
> that my mail server is not completely unprotected.
>
> "Nick Gillott [MVP]" wrote:
>
>> Why are you doing it that way? Seems a very long way round and rather
>> insecure. A little more detail please.
>>
>> "Jason Goetting" <Jason Goetting@discussions.microsoft.com> wrote in
>> message
>> news:7FE0AC2F-410A-47EA-9A36-93F921B7A2DC@microsoft.com...
>> > Just wondering if anyone can give me a "best" practices solution to my
>> > situation.
>> >
>> > I'm sticking a cisco 506e pix in front of my mail server which is stand
>> > alone, it's not connected to our internal network in any way. Everyone
>> > connects via the internet.
>> >
>> > For everything to work properly I have to use static ports. I have to
>> > configure this on the mail server, open the ports on the firewall and I
>> > also
>> > have to make registry entries on the client machines so they connect
>> > properly. I have multiple sites to go to, and we are not on a wan so I
>> > can
>> > not do this remotely. So I want to figure out the best and most
>> > efficient
>> > way to make the changes to my client stations.
>> >
>> > Basically for the remote sites, they will have to use OWA while this is
>> > being done.
>> >
>> > Any ideas would be of great help!
>>
>>
>>
date: Sat, 11 Feb 2006 22:46:25 -0000
author: Nick Gillott [MVP]
Re: exchange being switched to static ports due to firewall
Thanks! I will be working on this tomorrow. This is very helpful. I think
you might've spelled it out for me!
"Nick Gillott [MVP]" wrote:
> Jason,
> Right, this is from memory as I ditched Cisco Pix years ago and I'm
> generalising based on your setup. But this is the way I'd do it (and did do
> it) for security.
>
> Old fashioned but secure:
> LAN: 192.168.0.x/24
> Cisco Pix: 192.168.0.1
> Exchange box: 192.168.0.2, default gateway is the Pix.
>
> On the Pix:
> Name <mail outside> MailOutside
> Name <mail on LAN> MailInside
> access-list acl_outside permit tcp any host <ip of remote site> host any
> access-list acl_outside permit tcp any host MailOutside eq www
> access-list acl_outside permit tcp any host MailOutside eq 443
> access-list acl_outside permit tcp any host MailOutside eq SMTP
> static (inside,outside) MailOutside MailInside netmask 255.255.255.255 5000
> 1000
> access-group acl_outside in interface outside
> route outside 0.0.0.0 0.0.0.0 <external gateway> 1
>
> I THINK that's about it.
>
>
> New fangled:
> Skip the access-list line that finishes with any (which I can't recall if it
> will work anyway!)
> Then you've only got port 80/443 open but you can use RPC over HTTPs for
> Outlook 2003 to Exchange 2003 and use cached mode.
>
> Hope that helps.
>
> Nick
>
> "Jason Goetting" wrote in message
> news:0D855691-E393-49FB-8348-1C1B7FE285F4@microsoft.com...
> > Well, the cisco pix will not work with dynamic ports, so my users cannot
> > send
> > email, only recieve email. And based on the info I've gotten off of MSKB
> > and
> > Cisco, I have to tell exchange to use static ports, and I have to tell my
> > client stations what ports to use as well. Not sure how this is insecure?
> >
> > Should I go about this in an entirely different direction? The pix is so
> > that my mail server is not completely unprotected.
> >
> > "Nick Gillott [MVP]" wrote:
> >
> >> Why are you doing it that way? Seems a very long way round and rather
> >> insecure. A little more detail please.
> >>
> >> "Jason Goetting" <Jason Goetting@discussions.microsoft.com> wrote in
> >> message
> >> news:7FE0AC2F-410A-47EA-9A36-93F921B7A2DC@microsoft.com...
> >> > Just wondering if anyone can give me a "best" practices solution to my
> >> > situation.
> >> >
> >> > I'm sticking a cisco 506e pix in front of my mail server which is stand
> >> > alone, it's not connected to our internal network in any way. Everyone
> >> > connects via the internet.
> >> >
> >> > For everything to work properly I have to use static ports. I have to
> >> > configure this on the mail server, open the ports on the firewall and I
> >> > also
> >> > have to make registry entries on the client machines so they connect
> >> > properly. I have multiple sites to go to, and we are not on a wan so I
> >> > can
> >> > not do this remotely. So I want to figure out the best and most
> >> > efficient
> >> > way to make the changes to my client stations.
> >> >
> >> > Basically for the remote sites, they will have to use OWA while this is
> >> > being done.
> >> >
> >> > Any ideas would be of great help!
> >>
> >>
> >>
>
>
>
date: Sat, 11 Feb 2006 18:42:27 -0800
author: Jason Goetting
|
|
