Re: Question regarding firewalls

The whole point of lock-down is to STOP the gmail, hotmail, yahoo mail, etc
crap that has no business in a business.

I use OE to post. Does it still require 119?

Gregg Hill



"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:uTB43GkwHHA.4572@xxxxxxxxxxxxxxxxxxxxxxx
Lanwench [MVP - Exchange] wrote:
Gregg Hill <bogus@xxxxxxxxxxx> wrote:
Hello!

In an SBS domain, what firewall ports are really needed for most
businesses to have full functionality? I would like to have the
maximum lock-down I can achieve with normal network and Internet
functionality.
I can think of the following, in numerical order:

Inbound ports forwarded in firewall/router:
25 to SBS
443 to SBS
3389 to a 2000 or 2003 terminal server
4125 to SBS


Maximum outbound ports allowed:
20 and 21 for downloads
25 to send mail (preferably only from SBS server's IP)
53 for DNS lookups
80 for web browsing
110 if they use POP3 on external server
123 for NTP
143 if they use IMAP on external server
443 for secure web browsing
2002 if servers are managed with LogMeIn

I cannot think of others that would be needed for normal web
browsing, email access, etc. Do AV apps such as Trend Micro CSM use
different ports to get their updates?

Did I miss any ports?

Thank you for your time!

Gregg Hill

In addition to the other replies-

Your clients should need only HTTP and HTTPS outbound, most likely.
Your firewall should be configured with a deny all by default for the
IP address range used for your client workstations, and 80 and 443
outbound only. Your users shouldn't be connecting to external POP,
IMAP, FTP sites, etc., generally.

Your server needs more outbound access - your 'maximum' list is fine
in general, although I'd exclude 110, 2002, 143. I don't know why
you'd need LogMeIn.....

119 to post to this newgroup! <g>

Greg,

465/995 (outbound) POP-S for gmail or wait till the users call.

--
/kj



.

Relevant Pages

  • Re: Event 529 Logins from external source
    ... If you have SBS 2003, you should have a firewall between it and the ... No other ports should be open. ... The 7 steps will secure the server again attacking. ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Question regarding firewalls
    ... In an SBS domain, what firewall ports are really needed for most ... 110 if they use POP3 on external server ... Your clients should need only HTTP and HTTPS outbound, ...
    (microsoft.public.windows.server.sbs)
  • Re: Question regarding firewalls
    ... In an SBS domain, what firewall ports are really needed for most ... 110 if they use POP3 on external server ... Your clients should need only HTTP and HTTPS outbound, ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote Access to Sharepoint
    ... You mean they can open the companyweb site, but then some other link doesn't ... Les Connor [SBS MVP] ... >>> Access server desktops within the network. ... >>> ports ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to connect to RWW over internet
    ... We had ISA when we used SBS 2000, but he didn't install it when we upgraded. ... I checked with our T1 supplier and their router has all the ports opened. ... > communicate with the user on the internet. ... which secures communications from your server and a Web ...
    (microsoft.public.windows.server.sbs)
Loading