Re: Using SBS 2003 for all remote access.

anonymous_at_discussions.microsoft.com
Date: 06/29/04 

Date: Tue, 29 Jun 2004 15:40:22 -0700

Makes perfect sense, Yes of course only the ports needed
for the services we need access to on the web side would
be open and I assume the built in firewall will handle
that. BTW I plan on using Terminal Services for any admin
on the server itself as it will be in a cabinet in a co-
lo facility. Will I have to make sure this is allowed in
the firewall config or will the wizard handle this for me
when I setup remote access?

Thanks David.

Bill

>-----Original Message-----
>> So above the built in firewall I should have another
>> piece of hardware between the SBS machine and the
>> internet? If I am allowing access to any ports open on
>> the web side of the SBS machine via the firewall anyway
>> how does it help?
>>
>> Bill
>
>If the SBS machine has 2 NICs, one connected to your
internal switch that
>gets blackholed, or to create an internal network, SBS
itself can configure
>a firewall, and you can then only allow the ports you
need to be opened.
>If the SBS machine has 1 NIC, SBS itself cannot
configure the built-in
>firewall, and you would definately need another piece of
hardware.
>You would not want to allow all ports from the Internet
to the SBS machine,
>that's the security risk I'm talking about. You would
only want the ports
>needed for what your users need, such as for VPN, the
web server, Outlook
>over the Internet, etc.
>
>Adding another hardware firewall is an additional layer
of defense, but is
>not required if you let SBS configure the built-in
firewall.
>
>Does that make sense?
>
>David Jones
>SBS Product Team
>--
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
><anonymous@discussions.microsoft.com> wrote in message
>news:233ba01c45e25$4f592660$a501280a@phx.gbl...
>>
>>
>> >-----Original Message-----
>> >> I do not understand why have the second NIC connect
to
>> a
>> >> hub? Would I be configuring that NIC to be
the "local
>> >> network" and therefore all domain controller type
>> >> functions will use that NIC? The server already has
two
>> >> NICs and I have a managed switch in the cabinet. So
I
>> can
>> >> just connect that second NIC to a port in the switch
>> and
>> >> just block all outside access to that port. All of
the
>> >> other machines in the cabinet are Server 2003 Web
>> edition
>> >> to be used for serving out our networked
applications
>> and
>> >> web content we offer. They all have dual NICs so I
>> >> suppose I could configure the second NICs on all
>> machines
>> >> to be on an internal network and use some of the
>> >> functionality of the SBS machine for something.
What I
>> >> don't know at this time, possibly for setting up
>> network
>> >> shares of the drives for accesing them via the VPN
on
>> the
>> >> SBS machine.
>> >
>> >
>> >Blocking all outside access to that port in the switch
>> would work as well.
>> >Yes, basically, it would be to configure an "internal
>> network", so the
>> >domain controller functionality listens on that NIC,
and
>> SBS configures its
>> >own firewall to block access from external/Internet
>> sources to those ports.
>> >Configuring the second NICs on all the other machines
is
>> an option too, if
>> >you wanted any of the functionality gained from that.
>> Up to you really.
>> >The key thing with SBS is to just make sure there's an
>> active firewall up
>> >between it and the main Internet.
>> >
>> >David Jones
>> >SBS Product Team
>> >
>> >--
>> >This posting is provided "AS IS" with no warranties,
and
>> confers no rights.
>> >
>> >
>> ><anonymous@discussions.microsoft.com> wrote in message
>> >news:231e501c45e13$e5786a00$a401280a@phx.gbl...
>> >>
>> >> >-----Original Message-----
>> >> >"Bill" <anonymous@discussions.microsoft.com> wrote
in
>> >> message
>> >> >news:2309d01c45e03$cd44fda0$a401280a@phx.gbl...
>> >> >> Are there any issues with using SBS 2003 Standard
>> for
>> >> >> remote access ONLY. All of our employees work
>> remotely
>> >> >> with broadband connections and right now we use a
>> POP
>> >> >> server for mail, a web based calander with way to
>> many
>> >> >> logins for scheduling, FTP for doocument transfer
>> and
>> >> AIM
>> >> >> for instant messaging. I would like to replace
all
>> of
>> >> >> those methods with SBS. I plan on setting up an
SBS
>> >> >> server in a co-location facility and have
everyone
>> >> access
>> >> >> it via VPN. Are there any issues with this?
>> >> >
>> >> >Hi Bill,
>> >> >
>> >> >In addition to what others have said, it is
extremely
>> >> important in this
>> >> >scenario for you to have a properly configured and
>> >> maintained firewall
>> >> >between the server and the Internet. Because SBS
must
>> >> be a domain
>> >> >controller, and the baggage that comes with that,
it
>> >> must have certain ports
>> >> >listening. Without a firewall, you risk exposing a
>> >> domain controller
>> >> >directly to the Internet, which is a major security
>> risk.
>> >> >This (the firewall) can be accomplished with a
>> hardware
>> >> device, or by using
>> >> >2 NICs in the server and putting the unused NIC on
a
>> >> dummy hub. There are
>> >> >additional ways to configure a firewall on the
server
>> >> while using only 1
>> >> >NIC, but SBS will not configure it as such.
>> >> >
>> >> >David Jones
>> >> >SBS Product Team
>> >> >
>> >>
>> >>
>> >> Thanks for all the help guys!
>> >>
>> >> Bill
>> >
>> >
>> >.
>> >
>
>
>.
>

Relevant Pages

  • Re: Webserver, DMZ, ports questions
    ... Internet accesible services like SMTP have a seperate ... DMZ or a third interface in the firewall. ... As far as source / destination ports goes. ... from the internet to my web server, ...
    (Focus-Microsoft)
  • Re: statefull inspection FW and hackers
    ... Stateful inspection can be best understood with security zones/level. ... most of the firewall dont allow anything to come from low ... This would mean that if internal user accesses internet ... In turn that will give to the attacker a way to understand what ports ...
    (Security-Basics)
  • Re: FIREWALL- worth the effort ?
    ... I only use internet intermitently and "pull the plug out" ... Do you have a home Cable/DSL Router? ... forward any ports from the outside world to your Macthrough ... The other function of a firewall is to prevent out bound ...
    (comp.sys.mac.system)
  • Re: Adding Programs w/ActiveSync 3.7
    ... > would be granted access to the internet. ... my firewall typically advises me that software is ... Activesync uses certain ports to communicate with the Pocket PC. ... install the software... ...
    (microsoft.public.pocketpc.activesync)
  • Re: [Full-Disclosure] Cox is blocking port 135 - off topic
    ... > specifically configured RPC port on the remote ... For intranet environments, these ports are ... > hostile environments, such as the Internet. ... > used on the internet and you need a firewall to block ...
    (Full-Disclosure)