RE: OT (sort of): Setting up an OWA server in a DMZ

  • From: "Andrew English" <andrew@xxxxxxxxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Fri, 22 Apr 2005 01:10:02 -0400

You should consider using the RPC over HTTP method instead of just RPC.
Number 1 most ISPs today block port 135, thus if any of your employees
have notebook computers that need to access their emails, chances will
be slim that the ISP they connect up with on the go will have port 135
open.

RPC over HTTP uses ports 80, and 443 (SSL).

Andrew


-----Original Message-----
From: adrian bolzan [mailto:abolzan@xxxxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Friday, April 22, 2005 12:48 AM
To: [ExchangeList]
Subject: [exchangelist] RE: OT (sort of): Setting up an OWA server in a
DMZ

http://www.MSExchange.org/


Sorry, I should clarify the ports I have opened  on the firewall. These
were derived from the website:
"Active Directory Replication over Firewalls"
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie
s/activedirectory/deploy/confeat/adrepfir.mspx

Although I did not want to configure a DC in the DMZ. I chose the swiss
cheese method, Full Dynamic RPC.
Thus,
RPC endpoint mapper
135/tcp, 135/udp

Network basic input/output system (NetBIOS) name service
137/tcp, 137/udp

NetBIOS datagram service
138/udp

NetBIOS session service
139/tcp

RPC dynamic assignment
1024-65535/tcp

Server message block (SMB) over IP (Microsoft-DS)
445/tcp, 445/udp

Lightweight Directory Access Protocol (LDAP)
389/tcp

LDAP over SSL
636/tcp

Global catalog LDAP
3268/tcp

Global catalog LDAP over SSL
3269/tcp

Kerberos
88/tcp, 88/udp

Domain Name Service (DNS)
53/tcp1, 53/udp

I did not open these WINS ports
Windows Internet Naming Service (WINS) resolution (if required)
1512/tcp, 1512/udp

Nor these:
WINS replication (if required)
42/tcp, 42/udp



Cheers,
Adrian






> -----Original Message-----
> From: adrian bolzan [mailto:abolzan@xxxxxxxxxxxxxxxxxxxxxxxxx]

> Sent: Friday, 22 April 2005 1:04 PM
> To: [ExchangeList]
> Subject: [exchangelist] OT (sort of): Setting up an OWA

> server in a DMZ
>

> http://www.MSExchange.org/
>

>

> Hi,
>

> This is sort of off-topic as I am stuck at setp 1 of building

> an OWA server.
>

> I am trying to configure a new server to act as an OWA

> server.  It is located in our DMZ.
> We do not use ISA server...
>

> IP address of 'OWA' server = 192.168.2.2 IP address of

> Exchange server, which is also a DC = 192.168.1.5
>

> The way our firewall works is to set an alias on the DMZ

> interface, and use IP address and Port forwarding.
> The alias on the DMZ interface = 192.168.2.5.
>

> Thus, communications from the 'OWA' server to the exchange

> server is sent to 192.168.2.5, with IP address and port

> forwarding to 192.168.1.5
> :
>

> 'OWA' server --> IP Alias on DMZ interface --> DC (with Exchange)
> 192.168.2.2 --> 192.168.2.5 --> 192.168.1.5
>

>

> My first problem is that when I try to join the OWA server to

> the domain across the firewall I receive an error stating

> that I am trying to connect to a closed port (presumably on

> the exchange DC).  All of the appropriate filters are in

> place on the firewall to allow the communication.  The closed

> port is 138/UDP.  This suggests that I need to configure the

> DC to allow connections from the DMZ subnet.
>

> Any pointers on where I would find info on how to allow this

> communication would be appreciated.

>

>

>

> Cheers,
> Adrian
>

> ============================================================
> IMPORTANT - This email and any attachments is confidential.
> If received in error, please contact the sender and delete

> all copies of this email. Please note that any use,

> dissemination, further distribution or reproduction of this

> message in any form is strictly prohibited. Before opening or

> using attachments, check them for viruses and defects.
> Regardless of any loss, damage or consequence, whether caused

> by the negligence of the sender or not, resulting directly or

> indirectly from the use of any attached files, our liability

> is limited to resupplying any affected attachments.

>

> Any representations or opinions expressed in this email are

> those of the individual sender, and not necessarily those of

> the Capital Transport Services.
> ============================================================
>

> ------------------------------------------------------
> List Archives:

> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
> Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com

> Leading Network Software Directory: http://www.serverfiles.com
> No.1 ISA Server Resource Site: http://www.isaserver.org

> Windows Security Resource Site:

> http://www.windowsecurity.com/ Network Security Library:

> http://www.secinf.net/ Windows 2000/NT Fax Solutions:

> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this MSEXchange.org

> Discussion List as: abolzan@xxxxxxxxxxxxxxxxxxxxxxxxx To

> unsubscribe visit

> http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
> Report abuse to listadmin@xxxxxxxxxxxxxx
>


============================================================
IMPORTANT - This email and any attachments is confidential.
If received in error, please contact the sender and delete
all copies of this email. Please note that any use,
dissemination, further distribution or reproduction of this
message in any form is strictly prohibited. Before opening or
using attachments, check them for viruses and defects.
Regardless of any loss, damage or consequence, whether caused
by the negligence of the sender or not, resulting directly or
indirectly from the use of any attached files, our liability
is limited to resupplying any affected attachments. 

Any representations or opinions expressed in this email are
those of the individual sender, and not necessarily those
of the Capital Transport Services.
============================================================

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
andrew@xxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx


Other related posts: