Solved

Computer Active directory behind firewall

Posted on 2004-04-02
6
1,397 Views
Last Modified: 2013-11-16
This is the Scenario:

Workstation:
Windows 2000 SP4
Outlook 2000/XP/2003

Firewall:
Checkpoint Firewall One NG FP3

Domain Controller and Mail server:
Windows 2000 Server SP4.
MS Exchange 2000 SP3.

The needs:
Create a secure rule so i be able to:
Install workstation.
Join to the domain.
Configure outlook and have conectivity with the exchange server.
Login to the domain.
Use the server as a File and Print server.

Thanks.



 
0
Comment
Question by:maximilianoozyilmaz
6 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10740074
Why not simply make a VPN connection to the Firewall (you'd need the VPN-1 addon) from the workstation?

That would give you all the security and access to the network you'd need.

See if you have any Checkpoint VPn clients already. If you do then just install the VPN client on the workstation and then make the VPN connection to the Checkpoint Firewall/VPN.

If not then look to buying the licenses required for a Checkpoint reseller.
0
 

Author Comment

by:maximilianoozyilmaz
ID: 10740142
You are telling me that there is no way i can do this without using VPN clients?
The security is because i don't trust the workstations...  :O)
If i give them a VPN connection is the same if i have a rule:

Source               Dest.       service           Accion
Wokstations --> server -->    any      -->  accept



0
 
LVL 20

Expert Comment

by:What90
ID: 10740298
You could do it by fixed ip addresses, however it leaves you wide open to a number of nasties that way. With the vpn client at least you know and can control access times and numbers.

Yep, the rule is correct, you can also deny them access to other servers/subnets if you feel inclinded that way too.

0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:maximilianoozyilmaz
ID: 10740470
the workstation have static ips.
I need to know what services i have to open to those workstations for them only to use the exchange, the domain(dns, etc.) and file and print sharings services.
0
 
LVL 11

Assisted Solution

by:billwharton
billwharton earned 100 total points
ID: 10740827
Add in the following services to your checkpoint. For Exchange ports - outlook, refer to this document:
http://support.microsoft.com/default.aspx?scid=kb;en-us;278339

TCP 25 SMTP
UDP/TCP 53  DNS
TCP 80 HTTP  
TCP 110 POP3
UDP/TCP 389  LDAP  
UDP/TCP 500  ISAKMP/Oakley negotiation traffic (IPSec)  
UDP/TCP 636  LDAP (over TLS/SSL)  
UDP 88  Kerberos  
UDP/TCP 750, 751  Kerberos Authentication  
UDP 752  Kerberos Password Server  
UDP 753  Kerberos User Registration Server  
TCP 522  User Location Store  
TCP 754  Kerberos Slave Propagation  
TCP 888  Logon and Environment Passing
TCP 1433 SQL  
TCP Dynamic  Directory Replication  
TCP 2053  Kerberos de-multiplexor (Kerberos V4)  
TCP 2105  Kerberos encrypted login  
TCP 3268  Global Catalog  
TCP 3269  Global Catalog  
TCP 3389 RDP
0
 
LVL 23

Accepted Solution

by:
rhandels earned 400 total points
ID: 10751908
I would't open these ports. If you do this, even if the workstations have fixed ip adresses, you still have a security hole...

If you install Secure Client NG you can add a rule like this

Secure Clients  --> Mail server --> Allowed Protocols --> Encrypted.

If you are using Checkpoint (still the best firewall there is...) then try using it's features. It works like a charme......

The other problem is that you never really know what kind of services you need. If you make it encrypted, you have a way to start and you can delete the protocols afterwords....
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now