Re: OWA front end and Cisco PIX

From: Todd Seagraves (nospam_todd.seagraves_at_gbe.com)
Date: 09/09/04 

Date: Thu, 09 Sep 2004 14:29:37 GMT

He shouldn't have to open any ports from the FE to the BE. He said the FE
and BE were on the same lan (not in the DMZ). So the FE will be able to
talk to the BE and DC with no problems. From the internal interface of the
DMZ to the FE you would need port 25 for SMTP and 443 for SSL HTTP (80 if
your aren't using SSL, not recommended)

He would have to open all of those ports if the FE were in the DMZ, which is
precisely the reason why NOT to put the FE in the DMZ. It turns your DMZ
into swiss cheese. That is 9 ports open vs. 2 ports...your call. Your
first call to MS PSS will probably end with this same recommendation

Todd

"Jonathan" <anonymous@discussions.microsoft.com> wrote in message
news:097a01c4966f$928ac240$a401280a@phx.gbl...
> You have to set the authentification on your Back-end's
> IIS to basic & integrated authentification.
>
> You have to unlock the ports from your front to back:
> 80 tcp
> pop3 tcp If you want
> 25 tcp
> 691 tcp
>
> Front to Domain controler & catalog server
> 389 UDP/TCP
> 3268 TCP
> 88 TCP/UDP
> 135 TCP
> and i dont remember de number but the name in my pix it's
> domain tcp/udp
>>-----Original Message-----
>>What do you see in the browser? Anything? Are you
> prompted for a login?
>>Check you DNS record, it should be pointing to your PIX
> box. The PIX should
>>have an ACL directing traffic for https://yoururl.com to
> your FE server.
>>are you able to get anything from a workstation on the
> network using the
>>server name in the url?
>>
>>Todd
>>
>>"Eric" <anonymous@discussions.microsoft.com> wrote in
> message
>>news:08dd01c494e2$68f03930$a401280a@phx.gbl...
>>>I have a front end Exchange server (using it for OWA)
> and
>>> 2 back end clustered servers. All of these our on the
>>> same LAN (FE is not on a DMZ). I am having trouble
>>> getting OWA to work thru a Cisco PIX. I am using SSL
>>> (port 443). The mapping is set correctly on the PIX,
> but
>>> I can not still connect. Does any other ports need to
> be
>>> open on the PIX? Ithought it was just 443.
>>>
>>>
>>> Thanks
>>
>>
>>.
>>

Relevant Pages

  • Re: OWA front end and Cisco PIX
    ... You have to unlock the ports from your front to back: ... pop3 tcp If you want ... Front to Domain controler & catalog server ... it should be pointing to your PIX ...
    (microsoft.public.exchange.clients)
  • Re: Exchange OWA login problems
    ... Here's the open ports I have between DMZ and trusted network: ... 139 tcp ...
    (microsoft.public.exchange.admin)
  • Re: Pix ASA hide ports for portscan?
    ... Is it possible to have the pix hide these open ports from portscans ... DMZ' server will not be reachable anymore from the outside This is due ...
    (comp.dcom.sys.cisco)
  • [fw-wiz] PIX 520 - control traffic between DMZ and inside devices
    ... PIX 520, Three interfaces - inside, Outside and DMZ. ... I can successfully ping any DMZ device from the 6509 MSM si it knows how to ... on all ports to another computer on the inside. ...
    (Firewall-Wizards)
  • Re: Pix ASA hide ports for portscan?
    ... I have configured a Pix ASA and opened some ports to dmz and inside for e.g. mail, www and rdp. ... If your PIX refuses to connect to the port the listener of the daemon of DMZ' server will not be reachable anymore from the outside This is due to the nature of tcp and not related to any special firewall. ...
    (comp.dcom.sys.cisco)