Hi Al, I agree. However, I like putting the FE in a "authenticated access" DMZ segment, which is separate from the rest of the network. Only connections that have been pre-authenticated by the ISA firewall as allowed to pass into this authenticated access only DMZ segment. I would definitely not put the FE in an anonymous access DMZ, though. Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx] Sent: Thursday, November 18, 2004 3:22 PM To: [ExchangeList] Subject: [exchangelist] RE: Kerberos authentication from FE to BE http://www.MSExchange.org/ Exactly. I was glossing that over in my reply though because I truly believe that putting a FE member server in the DMZ is a bad idea. Having done it for customers in the past (back when it was considered a good idea) I'm not happy about it any longer, but there it is. I see no benefit (years later of course) to putting a member server in a DMZ since it can potentially be hacked and they'd have the same access as if internal anyway. More trouble than it's worth basically. </confessions of a consultant> -----Original Message----- From: Rick Boza [mailto:rickb@xxxxxxxxxxx] Sent: Thursday, November 18, 2004 4:14 PM To: [ExchangeList] Subject: [exchangelist] RE: Kerberos authentication from FE to BE http://www.MSExchange.org/ I think Al's question was 'Please list all the ports you opened between the FE and BE servers on the firewall." Saying you have all the necessary ones open doesn't really help us help you - without knowing exactly what ports are open, there is no way anyone can say if additionally opening port 88 is enough. Rick On 11/18/04 3:39 PM, "ravi" <rrb@xxxxxxxxxxx> wrote: > http://www.MSExchange.org/ > > I have opened all the necessary ports like 389,3268 to DC/GC and 25,80 > to BE. Everything is working well but i see this warning on my FE. > My concern: is opening port 88 to DC enough? or do we have to open 88 > to BE also for kerberos authntication to work? > > thanks for your help. > > ------------------------------------------------------ > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com Leading > Network Software Directory: http://www.serverfiles.com > No.1 ISA Server Resource Site: http://www.isaserver.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this MSEXchange.org Discussion List as: > rickb@xxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Report abuse to listadmin@xxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: al.mulnick@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: tshinder@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx