Why are you putting the exchange server there? You seem to want the pvt
users to access the exchange server in the dmz rather than putting in on the
pvt networkm and allow your external users to access via OWA/imap4/pop3?
-----Original Message-----
From: Vinod P. Thomas [mailto:[EMAIL PROTECTED]]
Sent: Monday, 10 July 2000 4:22 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [FW1] Firewall or NT
Hi,
Thanks a ton for the feedback.
Andrew.....as per your suggestion I tried giving unrestricted access between
the PDC and the mail server, but for whatever reason, it still didn't work.
So we undid the entire policy and gave any-any access between the two
subnets, DMZ and private. Being critical, we could'nt take the chance of
restricting access again and possibly jeopardising functionality. So, we've
left the any-any policy b/w DMZ and private; I've got sync'ing happening
fine but this leaves my network wide open. Added info....my firewall is the
sole member of a workgroup; it's not part of my NT domain.
This is my requirement:
Mail(Exchange 5.5) and application server sitting in the DMZ. Users from the
pvt. n/w need total mail access, thru client s/w (Microsoft Outlook, Outlook
express and Netscape messenger) or Outlook web access. Also, they r to be
given web access and probably chat. External users should be able to access
the mail server
How do I limit user access while keeping all the necessary openings for
proper NT functionality??
Also, I'm using Trend Micro Virus wall installed on the firewall machine. I
know that commn. b/w the a/v and the firewall happens using CVP, but what
does my policy need to look like?
Awaiting your suggestions.
Thanks and regards.
Vinod.
"Greenawalt, Andrew" wrote:
Your going to have to enable RPC, and some netbios stuff between the two.
The easiest way to handle this is to give the PDC any-any access to the
exchange box. The key factor is that the NT Domain does not use the
protocols that you have listed for its synching. How are you getting client
traffic to the Exchange box, IMAP, POP3 or native exchange? These may be
working on the basis of a liberal outbound policy? Is your firewall on the
domain? If it is, it shouldn't be-it's a potential security risk. As a
test, allow all traffic between these two nodes, and work backwards.
Good luck, and remember the firewall is your friend,
Andy
Andrew Greenawalt
Cybergnostic.net
CTO
"Vinod P. Thomas" wrote:
Hi,
This is an overview of the network we're working on:
Network IP Addresses NAT
on FW
Private pvt. 172.16.X.x /21 hidden
behind 1 public IP
DMZ pvt. 172.16.Y.x / 21 static
to a public IP
The whole network is in the same NT domain.The mail server is in the DMZ,
running Exchange 5.5..SP3 onWinNT4.0. We just moved the mail server from the
private network to the DMZ.
The problem is, we don't find database sync'ing happening between the mail
server(NT BDC) and the PDC which is in the private network. Otherwise, the
mail server is functioning normally wrt sending and receiving mails. This
sync'ing is essential, else, a user changing his password will have
authentication problems the next time he tries logging onto the mail server
as Exchange uses NT for authentication.
As far as FW policy goes, between the pvt n/w and the DMZ, the following
services have been enabled:
http, https, smtp, pop3.
Does this problem have anything to do with the FW or is this an NT-related
problem? Whichever, could you help me out here?
Thanks and regards.
Vinod.
--
Vinod P Thomas
Network Support Engineer
Euclid Network Solutions, Inc.
1/36, Hanumanthappa Layout
Ulsoor Road, Bangalore-560042
Tel : 91-80-5580141/2/3/4
Fax : 91-80-5580145
Website : www.euclidnet.com
--
Vinod P Thomas
Network Support Engineer
Euclid Network Solutions, Inc.
1/36, Hanumanthappa Layout
Ulsoor Road, Bangalore-560042
Tel : 91-80-5580141/2/3/4
Fax : 91-80-5580145
Website : www.euclidnet.com
***************************************************
This e-mail is not an official statement of the
Waikato Regional Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
