Link to home
Start Free TrialLog in
Avatar of Vic T
Vic TFlag for United States of America

asked on

Setup OWA in PIX DMZ

I am running OWA (front end) in the PIX515 DMZ and Exchange 2003 from inside with 2 DCs.  OWA is already joined the domain before moved to the DMZ.

                                Internet (outside)
                                           |
OWA (DMZ) --------------- PIX -------------- (inside) DC1, DC2, Exchange

DC1 = DC, GC and DNS
DC2 = DC only
OWA = Exchange 2003 (front end) server w/ SP2
Exchange = Exchange 2003 server w/ SP2

I have opened the following ports for OWA traffice back to inside.  Inside has not restriction to DMZ.
OWA -> DC1 = 88 tcp/udp, 135 tcp, 389 tcp/udp, 445 tcp, echo-reply icmp, (1024-65535) tcp,
                         53 tcp, 3268 tcp.
OWA -> DC2 = 88 tcp/udp, 135 tcp, 389 tcp/udp, 445 tcp, echo-reply icmp, (1024-65535) tcp.
OWA -> Exchange = 80 tcp, 135 tcp, 691 tcp.


The problem is we keep getting the following errors:
---------------------------------------------------------------
Event ID: 1053     Source: Userenv
Windows cannot determine the user or computer name. (There are no more endpoints available from the endpoint mapper. ). Group Policy processing aborted.

Event ID: 2114     Source: MSExchangeDSAccess
Process IISIPM9E6415B3-ECB3-4BAC-9958-6818860886F0 -AP "EXCHANGEAPPLICATIONPOOL (PID=2884). Topology Discovery failed, error 0x8007077f.

If I took out (1024-65535) tcp for DC1 and DC2, I will also get the following errors:
--------------------------------------------------------------------------------------------------
Event ID: 2114     Source: MSExchangeDSAccess
Process INETINFO.EXE (PID=1244). Topology Discovery failed, error 0x8007077f.

Event ID: 2114     Source: MSExchangeDSAccess
Process STORE.EXE (PID=2464). Topology Discovery failed, error 0x8007077f.

Event ID: 2114     Source: MSExchangeDSAccess
Process MAD.EXE (PID=1968). Topology Discovery failed, error 0x8007077f.

Event ID: 2114     Source: MSExchangeDSAccess
Process WMIPRVSE.EXE -EMBEDDING (PID=2760). Topology Discovery failed, error 0x8007077f.


Moreover, domain users cannot login to the OWA unless their profiles are created on the OWA server.  That's mean I have to login to the OWA server manually by using the domain user accounts.  Theoretically, I only need to allow the domain users to login to the OWA server locally by creating a local group and set the permission in local security policy.

Currently, in the OWA server, I had created a local group called "webmail".  The "webmail" group allows domain users login locally based on the local security policy.  When I added a user to the "webmail" group, AD did not resolved the SID to username.  You will only see the SID in the group.  Once I manually logged in to the OWA server by using the domain username and password, the SID in the webmail group will be resolved to the username.  It didn't happen to users who belong to the domain administrators group.

Also, how can I limit the RPC ports (1024-65535) tcp to a static port?  Please tell me if I had open any wrong ports.
Avatar of rsivanandan
rsivanandan
Flag of India image

http://www.microsoft.com/smallbusiness/support/articles/ref_net_ports_ms_prod.mspx

The above link explains about the ports that needs to be open for communication in AD, so you need to open what is required based on the above link.

Cheers,
Rajesh
Avatar of Vic T

ASKER

I read that before.  I believe I have already opened all the required ports.  I need a more in depth solution.

Thanks!
Avatar of charan_jeetsingh
charan_jeetsingh

is it possible to pate ur pix config...
also do a scan of ur open ports on ur DC1 and DC 2 using "netstat -b"

this will giv u an idea of what all ports are open actually....
Is there any reason you can't move the Front End behind the PIX and simply limit the inbound traffic to SSL to the front end only?

It makes managing the pix rules set a heck of a lot simpler.

Or look to putting an ISA server in front of the FE server behind the pix.
ASKER CERTIFIED SOLUTION
Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Vic T

ASKER

Hi Sembee - By the company policy, I cannot open any direct port (even 443 and NAT) from outside to the inside network.  I would love to put the OWA next to the DC and Exchange.  I will read your artical now.
Avatar of Vic T

ASKER

Hi charan_jeetsingh - here is the pix setup related to the OWA

OWA = 10.10.10.12
DC1 = 10.10.1.70
DC2 = 10.10.1.71
Exchange = 10.10.1.74

---
object-group network OWA-DC
 description Allow OWA traffic to DC
 network-object 10.10.1.70 255.255.255.255
 network-object 10.10.1.71 255.255.255.255
object-group network OWA-DC_ref
 network-object 10.10.1.70 255.255.255.255
 network-object 10.10.1.71 255.255.255.255
access-list acl_dmz extended permit tcp host 10.10.10.12 any eq https
access-list acl_dmz extended permit tcp host 10.10.10.12 any eq www
access-list acl_dmz extended permit udp host 10.10.10.12 host 204.111.222.111 eq domain
access-list acl_dmz extended permit tcp host 10.10.10.12 object-group OWA-DC_ref eq 88
access-list acl_dmz extended permit udp host 10.10.10.12 object-group OWA-DC_ref eq 88
access-list acl_dmz extended permit tcp host 10.10.10.12 object-group OWA-DC_ref eq 135
access-list acl_dmz extended permit tcp host 10.10.10.12 object-group OWA-DC_ref eq ldap
access-list acl_dmz extended permit udp host 10.10.10.12 object-group OWA-DC_ref eq 389
access-list acl_dmz extended permit tcp host 10.10.10.12 object-group OWA-DC_ref eq 445
access-list acl_dmz extended permit icmp host 10.10.10.12 object-group OWA-DC_ref echo-reply
access-list acl_dmz extended permit tcp host 10.10.10.12 object-group OWA-DC_ref range 1024 65535
access-list acl_dmz extended permit tcp host 10.10.10.12 host 10.10.1.70 eq domain
access-list acl_dmz extended permit tcp host 10.10.10.12 host 10.10.1.70 eq 3268
access-list acl_dmz extended permit tcp host 10.10.10.12 host 10.10.1.74 eq www
access-list acl_dmz extended permit tcp host 10.10.10.12 host 10.10.1.74 eq 135
access-list acl_dmz extended permit tcp host 10.10.10.12 host 10.10.1.74 eq 691
---

I don't need to check the DC1 and DC2 open ports since OWA works fine when it is back to the PIX-inside interface.
Avatar of Vic T

ASKER

Hi charan_jeetsingh - I just saw I missed the 53 udp for DC1.  I have added an extra line in the pix.

access-list acl_dmz extended permit udp host 10.10.10.12 host 10.10.1.70 eq domain
Ask whoever wrote the company policy if they are happy for port 135 to be open to less trusted network.
If they are, tell them they should be looking for another job.

I do installations for financial services companies, where they often have more network admin staff than IT. Asking for port 135 to be open usually stops everything in their tracks.

As my article says, a DMZ does not increase your security. What a DMZ should be is a place where the security is less, therefore you should be in a position to drop anything in the DMZ with a moments notice.

Best practises for a network is to have the least number of holes in the firewall that is protecting the inside network. Putting a domain member in the DMZ basically makes the firewall useless. I compromise your server in the DMZ I can walk straight in.

Simon.
Avatar of Vic T

ASKER

Hi Sembee (Simon) - I will probably look into the ISA in DMZ solution.  You made your point but I think it is still the good practice to disallow direct traffic from outside to inside.  So therefore the only solution to this is setting up the ISA in DMZ.  I will leave this open for more suggestions before closing it.

Thanks!!!

Btw, there is a typo in your article about port 125 - "The NETBIOS ports (125, 139 etc and 445)"
Not having direct traffic to the internet is always good, but isn't always possible.
If I was given a choice of server in the DMZ or direct access, then direct access wins, as I want the least number of ports open to production.

Simon.
vto,

I understand the concern in allow traffic in to the network, but ISA is an application level filter of OWA and adds a much more significant level of protection to your environment over a stateful firewall.

AD and exchange are very chatty, so by not putting the FE in the DMZ you significantly reduce load on your firewall and having to monitor the PIX's logs.

If you look at your PIX rules, the 15 or so ACL's would be dropped down to:
access-list acl_dmz extended permit tcp host 10.10.10.12 any eq https
It reduces the attack surface, which is good :-)

Simon's article is something you could take to the security team or auditors to support the case to use a reverse proxy or an ISA server.
Less risk makes a more secure environment, which makes your life easier.