Re: Firewall issue? Can nobody help me?

From: Ray (reply_in_at_newsgroup.only)
Date: 05/25/04 

Date: Tue, 25 May 2004 09:42:44 -0400

I know you've heard of Code Red II and others. :-)

Is it better to get a remote command prompt on a server on a DMZ that can
only access certain internal boxes over certain ports and protocols
(assuming you have an intelligent firewall that enforces the traffic on the
port and not just a port filter)?

or

Is it better to get a remote command prompt on a server on the LAN that has
unrestricted access to every other LAN device and the LAN authentication
traffic?

My vote is for the former if I'm a sysadmin and the latter if I'm a hacker.

Open ports are not "holes" that let just anything through, unless you use a
firewall that doesn't understand and enforce what should be running on a
given port, like a PIX.

Ray

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:%23po1s66PEHA.3944@tk2msftngp13.phx.gbl...
> Ray wrote:
> > Well, you don't open things up to the LAN, you open only what is
> > necessary and only you those hosts.
>
> As opposed to opening up only minimal ports to the FE server in the LAN
(443
> or 80)?
>
> >
> >> By virtue of opening up all the necessary ports for communication
> >> between FE/BE servers from DMZ to LAN & back again, you're really no
> >> better off here.
> >>
> >>> I personally could care less for the DMZ and the ports necessary for
> >>> this to work.
> >>
> >> Don't you mean you *couldn't* care less? :-)
> >>>
> >>> "Lanwench [MVP - Exchange]"
> >>> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
> >>> message news:%23DWowDpPEHA.1644@TK2MSFTNGP09.phx.gbl...
> >>>> john doe wrote:
> >>>>> Typically yes, the front end server should be in a DMZ.
> >>>>
> >>>> I respectfully disagree - you have to open up so much between DMZ
> >>>> and LAN that it effectively renders the DMZ useless. I put FE
> >>>> servers behind the firewall, lock them down tightly, open up port
> >>>> 443 to that internal IP only for OWA...
> >>>>
> >>>>> It would tell
> >>>>> you right of the bat if it was your server or the network
> >>>>> connectivity. "Jim Rodgers" <jim.rodgers@bataviatrans.com> wrote
> >>>>> in message news:fc1501c43e85$0cc90690$a301280a@phx.gbl...
> >>>>>> No, I have not taken the server out of the DMZ to see if
> >>>>>> that would solve the problem; I was under the
> >>>>>> understanding that this setup is the right way to go;
> >>>>>> should the front end server be in the DMZ or not?
> >>>>>> What way is right?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> Have you tried removing the server from the DMZ to see if
> >>>>>> that solves the
> >>>>>>> problem?
> >>>>>>> "Jim Rodgers" <jim.rodgers@bataviatrans.com> wrote in
> >>>>>> message
> >>>>>>> news:fa8e01c43e5c$b6578980$a001280a@phx.gbl...
> >>>>>>>> OK - I've asked this question before and nobody ever
> >>>>>> seems
> >>>>>>>> to respond, so I'll try once again.
> >>>>>>>>
> >>>>>>>> Here's my layout:
> >>>>>>>> W2K3 Domain <two domain controllers> <approx 1200 users>
> >>>>>>>> EX2K3 Backend server hosting approx. 800 mailboxes
> >>>>>>>> EX2K3 Front End server in DMZ
> >>>>>>>>
> >>>>>>>> It seems that all works flawlessly for several hours,
> >>>>>> then
> >>>>>>>> for who knows what reason, the Front End
> >>>>>> servers "Messages
> >>>>>>>> awaiting directory lookup" queue goes into "retry" state
> >>>>>>>> and then a couple dozen messages queue up in the
> >>>>>>>> C:\ProgFiles\Exchsrvr\Mailroot\vsi 1\Queue folder.
> >>>>>>>> It seems that this inability to communicate causes
> >>>>>>>> messages to queue up for a few minutes (10-15?) but any
> >>>>>>>> new messages coming in or out will go right on thru.
> >>>>>>>> When that queue reaches it's retry time, those messages
> >>>>>>>> waiting in the queue go on out as they should.
> >>>>>>>> If that were as severe as it ever gets, I guess I could
> >>>>>>>> live with it, but it seems as though sometimes (every
> >>>>>>>> second or third time or so) it gets even worse where the
> >>>>>>>> System Manager won't even load and then things are just
> >>>>>>>> totally dead until I stop all the Exchange services and
> >>>>>>>> then restart them. After that, things work fine again
> >>>>>> for
> >>>>>>>> a while (few hours) then I can expect it to happen
> >>>>>> again.
> >>>>>>>>
> >>>>>>>> If anybody can give me ANY clues on what I can check or
> >>>>>>>> modify, I can't tell you how much I would appreciate it.
> >>>>>>>>
> >>>>>>>> Thanks in advance.
> >>>>>>>> Jim Rodgers
> >>>>>>>> jim.rodgers@bataviatrans.com
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> .
>
>

Relevant Pages

  • Re: Exchange problems After changing FireWall Harware
    ... For a MS discussion of the ports needed for SBS and RWW, ... using any device on your LAN as a web server. ... DNS and DHCP on the server. ... I can't send mails to Internet by OWA ...
    (microsoft.public.windows.server.sbs)
  • Re: Exhange 5.5 Behind Firewall?
    ... > internal LAN to our DMZ for protection. ... > and open ports just to allow the Exchange server to work. ...
    (microsoft.public.security)
  • Re: Liunx and DSL routing
    ... to eth1 on the server. ... confused is the difference between the modem WAN and LAN addresses. ... > others mean just forwarding all the ports. ...
    (comp.os.linux.networking)
  • Re: Security in AD
    ... number of ports needed between a server and a domain controller? ... on your LAN. ... There's all kinds of stuff the attacker could do. ... Microsoft MVP - Windows Server - Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: Firewall issue? Can nobody help me?
    ... > Is it better to get a remote command prompt on a server on a DMZ that can ... > port and not just a port filter)? ... > unrestricted access to every other LAN device and the LAN authentication ...
    (microsoft.public.exchange.connectivity)