Not to be the one to put a ice cube in your boxers, but remember your RPC/HTTP proxy goes on the FE. :) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Monday, December 05, 2005 9:52 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Updates from the Least Privilege Front > > http://www.ISAserver.org > > Whoa. Interesting stuff. > > So, the dreaded CIFS and RPC are only required for Exchange Management > console? That would indeed be sweet. > > And FE POP3 and IMAP4 works too? ;) > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > Sent: Monday, December 05, 2005 9:37 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Updates from the Least Privilege Front > > > > http://www.ISAserver.org > > > > Just in case I forget (since we have been discussing FE > > Exchange Servers in > > a DMZ Segment) here is the skinny on the least privilege > > rules required to > > support the functionality outlined in Shinder's List. > > > > A Front End Exchange Server must verify a remote user's logon > > request, > > authenticate the local OWA access request in AD (based on > > NTFS perms), look > > up the Exchange Server hosting the user's mailbox in AD > > (global catalog), > > forward the user's credentials to the Back End Exchange > > Server required to > > log on to the BE on behalf of the user, and to finally proxy > > the web-based > > data to the end user. You also must be able to log into the > > FE server to > > administer the box, obviously. > > > > The protocol list required for all of this functionality is > > as follows: > > From the OWA FE server in the DMZ Segment to the Domain > Controllers-- > > DNS > > Kerberos-Sec (UDP) > > LDAP > > LDAP (UDP) > > LDAP (Global Catalog) > > Ping (Not required, but helpful) > > Microsoft CIFS (TCP) > > RPC (All Interfaces) > > > > From the OWA FE server to all BE servers, you must allow: > > HTTP > > > > Note that all manner of NBT traffic requests were attempted, > > but these are > > apparently not required when the other protocols are allowed. > > > > Now, one may be tempted to have a single rule for DC authentication > > containing these rules, and a single HTTP rule from the FE to > > all BE servers > > on the Internal Network, but that is not how I recommend > > doing it in a > > "least privilege" environment. > > > > I have a problem with allowing CIFS and RPC from a DMZ asset > > to my internal > > Domain Controllers. I also like peanut butter rolled up in a > > slice of > > Bologna-- I call it a "trailer park crepe." But I digress. > > > > In my tests, CIFS and RPC were only necessary for console > > logon to the FE > > asset. If you were logged out of the FE server yet remotely > > accessed the FE > > facilities via OWA, CIFS and RPC were *not* required. If the > > FE thinks it > > has CIFS and RPC, it will use it for FE functions (in my > > tests). But if you > > do not allow it, LDAP, Kerberos-Sec to the DC's and HTTP to > > the BE's will > > ultimately be used. The first time a user does this, it > > takes a bit for the > > auth to complete, but after that, it's superfly. > > > > Given that, I have decided to separate auth into 2 rule sets: > > One from the FE server to the DC's with all the above minus > > CIFS and RPC, > > and one from the FE server to the DC's with CIFS and RPC. > > The trick is to > > disable the second auth rule until you need to log on the to > > console of the > > FE server. This way, you allow full OWA functionality > > without having to > > have evil CIFS and RPC open from that DMZ segment into your > Internal > > network. > > > > More later. > > > > t > > > > > > > > > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >