Solved

Firewall and Exchange Question

Posted on 2001-06-14
16
187 Views
Last Modified: 2013-11-16
We currently have a LAN connected to the internet through a Cisco Router running NAT.  One of our servers, basically the main one, is running Exchange as well as File and Print Services.

We have NO firewall and need one desparately.  Because our ISP has an MX record for our server it is wide open on the internet.  

We are interested in getting a firewall, any recommendations?  Good time to get a proxy server/firewall at this time?

The only thing coming inside would need to be email from the outside, how would we set this up on the firewall?  Just open a certain port?  Which one?
0
Comment
Question by:jbiggs19
  • 3
  • 2
  • 2
  • +9
16 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6191549
I like the Cisco PIX as a nice fast hardware solution.  If you want more features then Checkpoint FW-1 is a good firewall.  It sounds like you could get away with the lower end PIX and save yourself some money.  If all you need inbound is internet mail, the only port you need to open is 25(SMTP).  If you want people to be able to check their mail from the outside via POP3 or Outlook Web Access, you will need to open 110(POP3) and/or 80(HTTP).
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 6191960
I agree with geoffryn and I like the PIX.
Depending on your budget, you may be able to upgrade your router with the Firewall IOS for less money and accomplish much the same thing.
However, if budget allows, there is an old saying -
"let routers route and firewalls be the firewall". putting too many tasks onto the router bogs it down, but for small offices it may be the perfect solution.

http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pix_pa.htm
http://www.cisco.com/univercd/cc/td/doc/pcat/iofwfts1.htm

Just to re-state what geoffyn said about ports:

smtp - TCP port 25 - must be open both ways for the server to send and to receive.

If you have roving users that access their email from home or travel, open TCP port 110 for POP3, TCP port 443 for SSL, and if you use the web-based access, TCP port 80..

0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6192518
Might also check out the low-end netscreen's.  They're pretty inexpensive, easy to configure, and fast.
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6193214
I agree with chris_calabrese, Netscreen is faster , much much easier to configure... All you'd need to do is setup inbound smtp... port 25. I suggest a NS-5 elite. (Elite meaning unlimitted users). There is no advantage & several disadvantages between Pix & netscreen..
0
 

Expert Comment

by:RUSTLER
ID: 6196389
I've been working with the Cisco PIX 515-UR,520-UR, FO firewalls and there pretty easy to set up...CISCO has a low end unit 506(handles 5 VPN sessions) to a beefy 512MB PIX 535...
0
 

Expert Comment

by:Alfaisal
ID: 6199751
well i didnt work with the PIX and i dont know how fast is it, but i am working with Biodata BIGfire+, real peace of cack with its management software, and no butel nick and you can connect your mail server to Admin port and control the trafic to it.
and the price is resnable.....
http://www.biodata.com/us/products/bigfire/
0
 

Author Comment

by:jbiggs19
ID: 6203247
Currently we have an existing Cisco 2514 router performing NAT, we might just upgrade the IOS on this to the firewall version.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6203278
Make sure that your have enough RAM on the router,  The IOS firewall can really bang on the CPU and memory.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 4

Expert Comment

by:jwalsh88
ID: 6204932
Yeah I would not recommend upgrading the Cisco 2514 to the IOS firewall version.  Unless you want to pay more in memory upgrades then it would cost to get a small simple firewall.  I would look into something like the Watchgaurd Firebox 50.  It's about $700 unless you have less then 25 or even 10 users,  Then the cost for a hardware based firewall would be either $500 or $300 dollars respectively.  In case you didn't guess the Firebox 50 allows for 50 users.

I like the PIX more but even the bottom of the line PIX is still 1500.00
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6287567
To round out choice_list, Microsoft for IIS now has this:

Microsoft Internet Security and Acceleration Server 2000 (ISA) Technical Overview
http://www.microsoft.com/TechNet/isa/isatecov.asp

Ports as above, unless you want more like ftp, open as needed.
0
 

Expert Comment

by:Shoeb_786
ID: 6439842
Cisco PIX is good in your situation
0
 

Expert Comment

by:RUSTLER
ID: 6443044
I recommend the PIX 516..
You set up a nat pool,let say 10.2.X.X/16 on your firewall.Then create a static entry to associate the real ip to IP internally. Finally open the ports required for pop and smtp by using access-list commands with pix 5.0 version or higher or conduit commands such as...
static (inside,outside) 206.189.16.30 10.2.1.30 netmask 255.255.255.255 0 0
conduit permit tcp host 206.189.16.30 eq smtp any
conduit permit tcp host 206.189.16.30 eq pop3 any
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7708986
This question appears to be abandoned. I will allow one week before I close this

question with the following recommendation:

I recommend splitting  rejecting RUSTLER's proposed answer and awarding points to each
20 to geoffryn
20 to lrmoore
20 to jwalsh88
20 to sunbow
20 to alfaisal

if there is any objection to this recommendation then please post in here within

7 days.

thanks,

lrmoore
EE Cleanup Volunteer
---------------------
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7956726
That much point split not a good idea. PAQ.
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
ID: 7963226
Per recommendation, points NOT refunded and question closed.

Netminder
EE Admin
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9706091
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts forfeited.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor

..................................again :)
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now