Re: SBS Prem on dual homed system HELP
From: Matt Gibson (mattg_at_blueedgetech.ca)
Date: 02/09/05
- Next message: Matt Gibson: "Re: No internet on Clients"
- Previous message: Marina Roos [SBS-MVP]: "Re: WARNING!!! Newly released patches crshed my SBS2003"
- In reply to: chris landman: "Re: SBS Prem on dual homed system HELP"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 8 Feb 2005 23:08:37 -0800
Chris,
Glad to hear you got it working! PIXes can be a pain, but they're quite
nice once you get them up and running.
If your ISP is forwarding secure.abcde.org, then all you have to do is make
sure your SBS certificate (which you make from running CIECW) is set to the
same thing. Other than that, it doesn't matter. You could have
mail.abcde.org for example.
As for the IP address only, it doesn't really matter. Security by obscurity
isn't really security at all. Do whatever is best for you.
Matt Gibson - GSEC
"chris landman" <chris landman@lsls.skls> wrote in message
news:eLQ1IqkDFHA.2676@TK2MSFTNGP12.phx.gbl...
>I got it Matt. I called Cisco and it was something that they sent me and
>fat fingered. I am in now. I was thinking of not putting a external dns
>name with it and only using the IP address. It seems like that would be
>more secure because on not having a friendly name. What do you think?
>
> I did have my ISP forward a DNS name. Our local domain is abc.com and
> our email domain is abcde.org. We have both of them registered. ( the
> abc.com was here before I started or I would have made it a .local) Our
> servers name is server. In the connection wizard of SBS, I gave it the
> FQDN of server.secure.abcde.org I had my ISP forward secure.abcde.org to
> our public IP address. I think that should work, because it forwards that
> address to this IP address. Should I have forwarded the full name,
> including the server name?
>
> --
> Chris Landman
> "Matt Gibson" <mattg@blueedgetech.ca> wrote in message
> news:eYsmCuaDFHA.3256@tk2msftngp13.phx.gbl...
>> Post your PIX config (Make sure to delete the lines dealing with
>> passwords, even if they're encrypted) and we'll see what we can do.
>>
>> Matt Gibson - GSEC
>>
>> "chris landman" <chris landman@lsls.skls> wrote in message
>> news:eSejiPXDFHA.3888@TK2MSFTNGP09.phx.gbl...
>>> Yea, I opened the 443 port and was not able to connect. I am sure I
>>> have missed something. I need to find a step by step setup of this. We
>>> have a PIX and I heard that it can be stopping the traffic. I will have
>>> to call Cisco. Do you know anywhere I can get a good walkthrough of
>>> everything I need to do to get this setup and secure?
>>>
>>> --
>>> Chris Landman
>>> "Matt Gibson" <mattg@blueedgetech.ca> wrote in message
>>> news:urEBMPVDFHA.2632@TK2MSFTNGP12.phx.gbl...
>>>> Usually at least.
>>>>
>>>> 25 - SMTP for incoming mail
>>>> 443 - HTTPS for OWA
>>>> 3389 - Terminal Services
>>>>
>>>> I don't have RWW on this server, but that would be port 4125
>>>>
>>>> Matt Gibson - GSEC
>>>>
>>>> "chris landman" <chris landman@lsls.skls> wrote in message
>>>> news:utUO6MVDFHA.3888@TK2MSFTNGP09.phx.gbl...
>>>>> So I need those three ports open?
>>>>>
>>>>> --
>>>>> Chris Landman
>>>>> "Matt Gibson" <mattg@blueedgetech.ca> wrote in message
>>>>> news:%23B5QxGODFHA.3376@TK2MSFTNGP12.phx.gbl...
>>>>>> Your PIX config should look something like this.
>>>>>>
>>>>>> (A lot is cut out, this is the stuff for port forwarding.
>>>>>>
>>>>>> no fixup protocol smtp 25
>>>>>> access-list acl_out permit tcp any host 204.50.X.X eq 3389
>>>>>> access-list acl_out permit tcp any host 204.50.X.X eq smtp
>>>>>> access-list acl_out permit tcp any host 204.50.X.X eq 443
>>>>>>
>>>>>> Matt Gibson - GSEC
>>>>>>
>>>>>>
>>>>>> "chris landman" <chris landman@lsls.skls> wrote in message
>>>>>> news:OJ3CwxMDFHA.4052@TK2MSFTNGP15.phx.gbl...
>>>>>> I had that port opened, but could not connect. I use a PIX, so it
>>>>>> is a statefull firewall. I wonder if that is stopping it. Is 443
>>>>>> the only port I need to open?
>>>>>>
>>>>>> --
>>>>>> Chris Landman
>>>>>> "Cris Hanna [SBS-MVP]"
>>>>>> <crisnospamhanna@computingnospampossibilities.net> wrote in message
>>>>>> news:Off79sMDFHA.1564@TK2MSFTNGP09.phx.gbl...
>>>>>> Ideally port 443 so you can run OWA over SSL
>>>>>> http://www.smallbizserver.net/Default.aspx?tabid=83
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Cris Hanna [SBS - MVP]
>>>>>> ---------------------------------------
>>>>>> Please reply only to the newsgroup and not to me directly so that
>>>>>> everyone can benefit from the information
>>>>>> "chris landman" <chris landman@lsls.skls> wrote in message
>>>>>> news:etgaHkMDFHA.3504@TK2MSFTNGP12.phx.gbl...
>>>>>> No, both locations are not SBS. The only thing is that I do not want
>>>>>> SBS to act as a proxy server. I guess I could just use one NIC and
>>>>>> let my PIX do the firewall function. I just wanted an extra layer of
>>>>>> security. If I just use an internal NIC, what do I need to forward
>>>>>> through the firewall to be able to use OWA?
>>>>>>
>>>>>> --
>>>>>> Chris Landman
>>>>>> "Cris Hanna [SBS-MVP]"
>>>>>> <crisnospamhanna@computingnospampossibilities.net> wrote in message
>>>>>> news:uUes7BJDFHA.520@TK2MSFTNGP09.phx.gbl...
>>>>>> Christopher
>>>>>> You should absolutely visit www.smallbizserver.net and check out the
>>>>>> information on configurations there
>>>>>>
>>>>>> ISA is designed to protect the internal network by acting as a
>>>>>> firewall on the external nic. The external facing nic (in your case
>>>>>> the one that would connect to your PIX) must be a on different subnet
>>>>>> from your internal nic
>>>>>>
>>>>>> I'm not sure why you considering adding another level of complexity
>>>>>> to your setup. You have a hardware firewall protecting each internal
>>>>>> network. You could of course increase the protection by adding ISA.
>>>>>> But you need to do a little studying and you would be making some big
>>>>>> changes to your existing networks on both and you could be looking at
>>>>>> some down time.
>>>>>>
>>>>>> Are both locations SBS ?
>>>>>>
>>>>>> --
>>>>>> Cris Hanna [SBS - MVP]
>>>>>> ---------------------------------------
>>>>>> Please reply only to the newsgroup and not to me directly so that
>>>>>> everyone can benefit from the information
>>>>>> "CHRISTOPHER LANDMAN" <clandman@email.uophx.edu> wrote in message
>>>>>> news:uerpMsIDFHA.2676@TK2MSFTNGP12.phx.gbl...
>>>>>> I am tiring to setup a SIBS with two nic cards. The IP address
>>>>>> scheme inside the network is 192.168.1.x at the first site and
>>>>>> 192.168.5.x at the second site. We have a VPN that connects the two.
>>>>>> Our PIX firewall handles the VPN. (PIX to PIX) I would like to get
>>>>>> an inside and an outside nic going. I would like to use private IPs
>>>>>> for both of them and forward traffic to the outside nic to handle
>>>>>> clients outside the network. Both sites will use the inside nic for
>>>>>> Exchange and DC. Can you tell me how to set the nic cards on the
>>>>>> server and what to use on the clients? Is there a better way of doing
>>>>>> this. I do not want the external nic to have a public IP address.
>>>>>> Could I use an IP address in the 192.168.1.x subnet (same subnet as
>>>>>> my inside nic at site one)? I am going to set ISA server up once I
>>>>>> get this problem taken care of..although, I do not want my clients to
>>>>>> use ISA as a proxy server. Also, once I install ISA server, what do I
>>>>>> need to do to make sure replication can occur between DCs. Is it
>>>>>> possible to only implement ISA on the outside nic?
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> --
>>>>>> Chris Landman
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
- Next message: Matt Gibson: "Re: No internet on Clients"
- Previous message: Marina Roos [SBS-MVP]: "Re: WARNING!!! Newly released patches crshed my SBS2003"
- In reply to: chris landman: "Re: SBS Prem on dual homed system HELP"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
