Re: Firewall issue? Can nobody help me?
From: john doe (nomail_at_nomail.com)
Date: 05/28/04
- Next message: Scotty: "Exchange - OWA Calendar Synch"
- Previous message: anonymous_at_discussions.microsoft.com: "Re: everyone DL didn't migrate"
- In reply to: Ray: "Re: Firewall issue? Can nobody help me?"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 28 May 2004 09:20:21 -0400
Exactly.
"Ray" <reply_in@newsgroup.only> wrote in message
news:uFjbf2lQEHA.3476@tk2msftngp13.phx.gbl...
> I know you've heard of Code Red II and others. :-)
>
> Is it better to get a remote command prompt on a server on a DMZ that can
> only access certain internal boxes over certain ports and protocols
> (assuming you have an intelligent firewall that enforces the traffic on
the
> port and not just a port filter)?
>
> or
>
> Is it better to get a remote command prompt on a server on the LAN that
has
> unrestricted access to every other LAN device and the LAN authentication
> traffic?
>
> My vote is for the former if I'm a sysadmin and the latter if I'm a
hacker.
>
> Open ports are not "holes" that let just anything through, unless you use
a
> firewall that doesn't understand and enforce what should be running on a
> given port, like a PIX.
>
> Ray
>
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
message
> news:%23po1s66PEHA.3944@tk2msftngp13.phx.gbl...
> > Ray wrote:
> > > Well, you don't open things up to the LAN, you open only what is
> > > necessary and only you those hosts.
> >
> > As opposed to opening up only minimal ports to the FE server in the LAN
> (443
> > or 80)?
> >
> > >
> > >> By virtue of opening up all the necessary ports for communication
> > >> between FE/BE servers from DMZ to LAN & back again, you're really no
> > >> better off here.
> > >>
> > >>> I personally could care less for the DMZ and the ports necessary for
> > >>> this to work.
> > >>
> > >> Don't you mean you *couldn't* care less? :-)
> > >>>
> > >>> "Lanwench [MVP - Exchange]"
> > >>> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
> > >>> message news:%23DWowDpPEHA.1644@TK2MSFTNGP09.phx.gbl...
> > >>>> john doe wrote:
> > >>>>> Typically yes, the front end server should be in a DMZ.
> > >>>>
> > >>>> I respectfully disagree - you have to open up so much between DMZ
> > >>>> and LAN that it effectively renders the DMZ useless. I put FE
> > >>>> servers behind the firewall, lock them down tightly, open up port
> > >>>> 443 to that internal IP only for OWA...
> > >>>>
> > >>>>> It would tell
> > >>>>> you right of the bat if it was your server or the network
> > >>>>> connectivity. "Jim Rodgers" <jim.rodgers@bataviatrans.com> wrote
> > >>>>> in message news:fc1501c43e85$0cc90690$a301280a@phx.gbl...
> > >>>>>> No, I have not taken the server out of the DMZ to see if
> > >>>>>> that would solve the problem; I was under the
> > >>>>>> understanding that this setup is the right way to go;
> > >>>>>> should the front end server be in the DMZ or not?
> > >>>>>> What way is right?
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>> -----Original Message-----
> > >>>>>>> Have you tried removing the server from the DMZ to see if
> > >>>>>> that solves the
> > >>>>>>> problem?
> > >>>>>>> "Jim Rodgers" <jim.rodgers@bataviatrans.com> wrote in
> > >>>>>> message
> > >>>>>>> news:fa8e01c43e5c$b6578980$a001280a@phx.gbl...
> > >>>>>>>> OK - I've asked this question before and nobody ever
> > >>>>>> seems
> > >>>>>>>> to respond, so I'll try once again.
> > >>>>>>>>
> > >>>>>>>> Here's my layout:
> > >>>>>>>> W2K3 Domain <two domain controllers> <approx 1200 users>
> > >>>>>>>> EX2K3 Backend server hosting approx. 800 mailboxes
> > >>>>>>>> EX2K3 Front End server in DMZ
> > >>>>>>>>
> > >>>>>>>> It seems that all works flawlessly for several hours,
> > >>>>>> then
> > >>>>>>>> for who knows what reason, the Front End
> > >>>>>> servers "Messages
> > >>>>>>>> awaiting directory lookup" queue goes into "retry" state
> > >>>>>>>> and then a couple dozen messages queue up in the
> > >>>>>>>> C:\ProgFiles\Exchsrvr\Mailroot\vsi 1\Queue folder.
> > >>>>>>>> It seems that this inability to communicate causes
> > >>>>>>>> messages to queue up for a few minutes (10-15?) but any
> > >>>>>>>> new messages coming in or out will go right on thru.
> > >>>>>>>> When that queue reaches it's retry time, those messages
> > >>>>>>>> waiting in the queue go on out as they should.
> > >>>>>>>> If that were as severe as it ever gets, I guess I could
> > >>>>>>>> live with it, but it seems as though sometimes (every
> > >>>>>>>> second or third time or so) it gets even worse where the
> > >>>>>>>> System Manager won't even load and then things are just
> > >>>>>>>> totally dead until I stop all the Exchange services and
> > >>>>>>>> then restart them. After that, things work fine again
> > >>>>>> for
> > >>>>>>>> a while (few hours) then I can expect it to happen
> > >>>>>> again.
> > >>>>>>>>
> > >>>>>>>> If anybody can give me ANY clues on what I can check or
> > >>>>>>>> modify, I can't tell you how much I would appreciate it.
> > >>>>>>>>
> > >>>>>>>> Thanks in advance.
> > >>>>>>>> Jim Rodgers
> > >>>>>>>> jim.rodgers@bataviatrans.com
> > >>>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> .
> >
> >
>
>
- Next message: Scotty: "Exchange - OWA Calendar Synch"
- Previous message: anonymous_at_discussions.microsoft.com: "Re: everyone DL didn't migrate"
- In reply to: Ray: "Re: Firewall issue? Can nobody help me?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
