Chris, Bernd, > > > assume you mean if access to port 135 is blocked? If so > then yes, you need > > > to tickle port 135 to activate the dynamic ports. > > > > The question is why a professional product like fw1 does > not support to > > restrict the functions which are passed through its rpc > proxy. I think the > > specs are open enough to have a rpc-portmap proxy which > only alows the > > lookup of the exchange ports (or return fixed values). > > Actually version 4 of FW-1 does have support for Exchange and does > pretty much what you describe, it watches the RPC traffic to > figure out > which upper port numbers will be used. In my opinion it is not a good way to have portmapper "open" if you dont need dynamic server port assignment. > In fact, this support could also be created for any version > of Firewall-1 > using their Inspect script. Its just easier for most people > to hack a few > registry keys rather than learn a propritary language. ;) The best way is telling the client side to use the fixed server ports (without portmapper) - does anyone know a registry-hack for this? > I think more to the point is why does Exchange (and > NetMeeting and many > other MS networking products for that matter) insist on using > DCOM when > it could work just as effectively using a couple of reserved > port numbers. > That way you could still implement a security policy even if > you are only > using static packet filters. I gave up asking what is behind M$ programming - I just try to secure it (firewalls etc.) Best regards Rainer - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
