?
Solved

OWA ports needed in DMZ

Posted on 2003-03-13
11
Medium Priority
?
568 Views
Last Modified: 2012-08-14
I have exchange 5.5 on an NT 4.0 PDC with OWA on W2K server in the DMZ but am not sure that i have the corect ports open.  I have allowed just http and ssl to the external adrress of OWA server and from the OWA to Exchange internal is ports 135 and i have mapped the directory service and the information store ports to 1225 and 1226 and opened them as it says in http://support.microsoft.com/default.aspx?scid=kb;en-us;259240.  I have also allowed 1024 through 65535 from exchange to OWA.  

However it does not always work with this configuration.  Do i need to open any other ports? i sometimes get the "There are currently no logon servers available to service the logon request." I notice in q259240 there is a bit at the bottom that says "NOTE: The OWA server must also be a member of the domain where the mailboxes reside. For additional information about how to configure that access, click the article number below to view the article in the Microsoft Knowledge Base: 179442 How to Configure a Firewall for Domains and Trusts"  This involves opening a lot of Netbios ports.  When i open these (137,138, 139) it works every time but is a lot less secure.  

So do i need to open any other ports, i.e the net bios, and how come it is working imtermittently?  I am using checkpoint FW-1 4.1




0
Comment
Question by:johncan20
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
11 Comments
 
LVL 1

Expert Comment

by:tc982
ID: 8127975
You should use the front end with the back end topology.

You should place your front end server in de dmz zone, and open the exchange ports and the ad ports!

Try to find a guide about how to setup this, as I do not have enough expierince to show you!
0
 

Author Comment

by:johncan20
ID: 8128016
i do have it in that config and the exchange ports are open.  Do i need to open any others?  (not AD as the DC is NT 4.0) like netbios?

0
 
LVL 1

Expert Comment

by:tc982
ID: 8128059
No, but I do not know how they authenticate ( on wich ports ) but they should be open ( maybe it is the kerberos you should open? )

You can offcourse open the netbios ports on the router that only allows that machine to access to your main machine!
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:johncan20
ID: 8128081
i do have it in that config and the exchange ports are open.  Do i need to open any others?  (not AD as the DC is NT 4.0) like netbios?

0
 

Author Comment

by:johncan20
ID: 8128203
It just so happens that the main file/data store is on the exchange server which is also the PDC, so if the OWA box is comprised then everything important to us is also comprised since you can browse all shared folders as netbios is allowed.  
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 8129222
Unfortunately, you do need to open those netbios ports. The OWA server needs to authenticate users against your NT SAM database, so unless you put a BDC in your DMZ, you need to allow your OWA server to authenticate to your PDC on the internal domain.
0
 

Author Comment

by:johncan20
ID: 8129295
o.k. thanks.  Maybe i need to move our datastore/shared drives off the PDC, then the files couldn't be accessed as only netbios between OWA and PDC exchange.

So what the best way to make it more secure - perhaps by taking off file and print sharing or client for MS networks, i tried using the IIS lockdown tool but that stopped it working all together.
0
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 500 total points
ID: 8129349
Because your Exchange server is also a domain controller, there is only so much you are going to be able to do to mitigate your risk. You can't remove client for MS networks or you won't be able to connect to the domain. If possible, I would look at moving Exchange off the PDC onto a dedicated box. That will provide the best security.
0
 

Author Comment

by:johncan20
ID: 8129368
o.k. thanks.  Maybe i need to move our datastore/shared drives off the PDC, then the files couldn't be accessed as only netbios between OWA and PDC exchange.

So what the best way to make it more secure - perhaps by taking off file and print sharing or client for MS networks, i tried using the IIS lockdown tool but that stopped it working all together.
0
 
LVL 20

Expert Comment

by:What90
ID: 10885088
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup topic area:
   accept:  jjmck

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

What90
EE Cleanup Volunteer
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question