Here are the policies I would add for IPSec IPSec Settings:
Action Source Dest Address Function Allow Any TCP443 All IP Allow all SSL traffic Allow TCP443 Any All IP Allow all SSL traffic Allow Any TCP80 BackeEnd Exchange Allow HTTP from Back End Allow Any TCP53 All DCs DNS (Assumes integrated DNS) Allow Any UDP53 All DCs DNS Allow Any TCP88 All DCs Kerboros Allow Any UDP88 All DCs Kerboros *Allow Any TCP123 All DCs Time Protocol Allow Any UDP123 All DCs Time Protocol Allow Any TCP135 All DCs RPC Endpoint mapper Allow Any TCP389 All DCs LDAP - Directory Services Allow Any UDP389 All DCs LDAP - Directory Services Allow Any TCP1025 All DCs Domain RPC traffic (Assumes its locked to these ports -- could be anything) Allow Any TCP1026 All DCs Domain RPC traffic Allow Any TCP3268 All DCs LDAP - Global Catalog Deny Any Any Any All Else Denied You'll need to set the backend server and DCs to have at least an IPSec policy of client so these communications can be established. TCP 123 to the DCs is certainly negotiable, as is DNS, although on DNS I think it's prefereable to a hosts file on an external server. Absolutley put the WWWROOT on a drive other than the Boot partition. Run MBSA and HFNetChk (MBSA by default doesn't check checksums), the OWA security template with IISLockdown, and URLScan. One of the KB articles I linked earlier gives details of the exceptions you'll need to set for the URLScan.ini. Some documentation would also suggest adding TCP 445 to the DCs. As far as I can tell this is just for the application of group policy. I'd rather deal with the slow boot times than offer this. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Public Folder: Exchange Sent: Friday, April 04, 2003 11:12 AM To: Exchange Discussions Subject: RE: Aaaarrrrggghhhh - What ports for OWA through only 1 firewall (no DMZ) besides 80 At the very least, you should run URLscan on that machine so that it's not hacked immeadiately. -Kevin > -----Original Message----- > From: Jeffrey Dubyn [mailto:[EMAIL PROTECTED] > Posted At: Friday, April 04, 2003 2:34 AM > Posted To: Exchange > Conversation: Aaaarrrrggghhhh - What ports for OWA through > only 1 firewall (no DMZ) besides 80 > Subject: Aaaarrrrggghhhh - What ports for OWA through only 1 > firewall (no DMZ) besides 80 > > > Against my very loud protest, a customer insists on deploying > OWA to users > on the Internet with no security in place. They nixed a > front end server, > SSL, VPN solution or an ISA server. > > My question is, what port(s), other than port 80, do I need > to open up on > the firewall? This is Exchange 2000 SP3, fully patched. > > I've looked through KB article #278339 and #280132 (which > discusses DMZ's), > but don't see anything other than port 80 needed. Am I > missing something? > Any other suggestions on what I can do to secure this (if anything)? > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
