RE: Kerberos authentication from FE to BE

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
• Date: Thu, 18 Nov 2004 21:04:44 -0600

Hi Al,

I agree. However, I like putting the FE in a "authenticated access" DMZ
segment, which is separate from the rest of the network. Only
connections that have been pre-authenticated by the ISA firewall as
allowed to pass into this authenticated access only DMZ segment. I would
definitely not put the FE in an anonymous access DMZ, though. 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx] 
Sent: Thursday, November 18, 2004 3:22 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Kerberos authentication from FE to BE

http://www.MSExchange.org/

Exactly. I was glossing that over in my reply though because I truly
believe
that putting a FE member server in the DMZ is a bad idea.  Having done
it
for customers in the past (back when it was considered a good idea) I'm
not
happy about it any longer, but there it is.  I see no benefit (years
later
of course) to putting a member server in a DMZ since it can potentially
be
hacked and they'd have the same access as if internal anyway.  More
trouble
than it's worth basically.

</confessions of a consultant> 

-----Original Message-----
From: Rick Boza [mailto:rickb@xxxxxxxxxxx] 
Sent: Thursday, November 18, 2004 4:14 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Kerberos authentication from FE to BE

http://www.MSExchange.org/

I think Al's question was 'Please list all the ports you opened between
the
FE and BE servers on the firewall."  Saying you have all the necessary
ones
open doesn't really help us help you - without knowing exactly what
ports
are open, there is no way anyone can say if additionally opening port 88
is
enough.

Rick


On 11/18/04 3:39 PM, "ravi" <rrb@xxxxxxxxxxx> wrote:

> http://www.MSExchange.org/
> 
> I have opened all the necessary ports like 389,3268 to DC/GC and 25,80

> to BE. Everything is working well but i see this warning on my FE.
> My concern: is opening port 88 to DC enough? or do we have to open 88 
> to BE also for kerberos authntication to work?
> 
> thanks for your help.
> 
> ------------------------------------------------------
> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading 
> Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org Windows 
> Security Resource Site: http://www.windowsecurity.com/ Network 
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSEXchange.org Discussion List
as:
> rickb@xxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to listadmin@xxxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
al.mulnick@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
tshinder@xxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts:

• » Kerberos authentication from FE to BE
• » RE: Kerberos authentication from FE to BE
• » RE: Kerberos authentication from FE to BE
• » RE: Kerberos authentication from FE to BE
• » RE: Kerberos authentication from FE to BE
• » RE: Kerberos authentication from FE to BE
• » RE: Kerberos authentication from FE to BE

1. Home
2. exchangelist
3. Archive
4. 11-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---