"Blanco, Juan" wrote:
>
> Folks,
>
> I need some help here. The problem is that according to
> Checkpoint in order for my Exchange Server to pass trough the FireWall-1
> I need to do the following:
>
> 1 Create a key call TCP/IP port on my Exchange for the
> Directory Services and Information Store, which I did and use port 1960.
A couple of points:
I usually coach my clients to use port numbers between 50000-65000.
These are private port numbers (kind of like their private IP address
counter parts) and can be used without fear of conflict as these numbers
are not assigned. You also have to worry about NT grabbing a port for a
random upper port number before the service gets to start as this will
trash the service. Using 1960 you are probably OK its more the 1024 -
1075 range you have to worry about.
I assume you mean the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDS\Parameters\TCP/IP
port
did you also update the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem\TCP/IP
port
as well? You must use a different port number for each.
> 2 Do all the corresponding address translation on my firewall
> 3 create a service on FW1 as rpc-mapper that will use port 135
This gets a bit to be a bit of a pain as Win95 defaults to udp/135 while
all other Windows operating systems (NT 5 included) default to TCP/135.
There are some registry hacks you can do on the Win95 side to get it to
default to tcp. Check the MS Web site and do a search on "DCOM".
You also need to create a firewall policy that allows inbound traffic to
your Exchange server on port 135 plus the two ports you specified in the
registry.
> 4 When all the above is done I should be able to telnet ip 25
> (this works)
This is something completely different. Port 25 is used by the SMTP
connector. It has nothing to do with client connections.
> My questions are the following:
>
> HOW DO I KNOW THAT MY EXCHANGE SERVER IS REALLY USING PORT 1960.
Connect to it with an Exchange client. You should first see the client
make a connection on 135 and them attempt to connect via the port values
you specified in the reg keys.
> WHY I AM ABLE TO TELNET TO IP PORT 25 AND I CAN'T TELNET TO IP PORT 1960
You can Telnet to port 25 because the SMTP connector is running and
listening. You can not Telnet to port 1960 because Exchange did not
first receive an RPC call telling it that a connection on that port
number is in progress.
> THE PORT THAT I CREATED ON MY EXCHANGE SERVER SHOULD BE THE SAME PORT
> FOR BOTH IS AND DS OR SHOULD IT BE DIFERENT
As mentioned above, the ports must be different.
Happy hunting,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
