Solved

Computer Active directory behind firewall

Posted on 2004-04-02
6
1,444 Views
Last Modified: 2013-11-16
This is the Scenario:

Workstation:
Windows 2000 SP4
Outlook 2000/XP/2003

Firewall:
Checkpoint Firewall One NG FP3

Domain Controller and Mail server:
Windows 2000 Server SP4.
MS Exchange 2000 SP3.

The needs:
Create a secure rule so i be able to:
Install workstation.
Join to the domain.
Configure outlook and have conectivity with the exchange server.
Login to the domain.
Use the server as a File and Print server.

Thanks.



 
0
Comment
Question by:maximilianoozyilmaz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10740074
Why not simply make a VPN connection to the Firewall (you'd need the VPN-1 addon) from the workstation?

That would give you all the security and access to the network you'd need.

See if you have any Checkpoint VPn clients already. If you do then just install the VPN client on the workstation and then make the VPN connection to the Checkpoint Firewall/VPN.

If not then look to buying the licenses required for a Checkpoint reseller.
0
 

Author Comment

by:maximilianoozyilmaz
ID: 10740142
You are telling me that there is no way i can do this without using VPN clients?
The security is because i don't trust the workstations...  :O)
If i give them a VPN connection is the same if i have a rule:

Source               Dest.       service           Accion
Wokstations --> server -->    any      -->  accept



0
 
LVL 20

Expert Comment

by:What90
ID: 10740298
You could do it by fixed ip addresses, however it leaves you wide open to a number of nasties that way. With the vpn client at least you know and can control access times and numbers.

Yep, the rule is correct, you can also deny them access to other servers/subnets if you feel inclinded that way too.

0
What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

 

Author Comment

by:maximilianoozyilmaz
ID: 10740470
the workstation have static ips.
I need to know what services i have to open to those workstations for them only to use the exchange, the domain(dns, etc.) and file and print sharings services.
0
 
LVL 11

Assisted Solution

by:billwharton
billwharton earned 100 total points
ID: 10740827
Add in the following services to your checkpoint. For Exchange ports - outlook, refer to this document:
http://support.microsoft.com/default.aspx?scid=kb;en-us;278339

TCP 25 SMTP
UDP/TCP 53  DNS
TCP 80 HTTP  
TCP 110 POP3
UDP/TCP 389  LDAP  
UDP/TCP 500  ISAKMP/Oakley negotiation traffic (IPSec)  
UDP/TCP 636  LDAP (over TLS/SSL)  
UDP 88  Kerberos  
UDP/TCP 750, 751  Kerberos Authentication  
UDP 752  Kerberos Password Server  
UDP 753  Kerberos User Registration Server  
TCP 522  User Location Store  
TCP 754  Kerberos Slave Propagation  
TCP 888  Logon and Environment Passing
TCP 1433 SQL  
TCP Dynamic  Directory Replication  
TCP 2053  Kerberos de-multiplexor (Kerberos V4)  
TCP 2105  Kerberos encrypted login  
TCP 3268  Global Catalog  
TCP 3269  Global Catalog  
TCP 3389 RDP
0
 
LVL 23

Accepted Solution

by:
rhandels earned 400 total points
ID: 10751908
I would't open these ports. If you do this, even if the workstations have fixed ip adresses, you still have a security hole...

If you install Secure Client NG you can add a rule like this

Secure Clients  --> Mail server --> Allowed Protocols --> Encrypted.

If you are using Checkpoint (still the best firewall there is...) then try using it's features. It works like a charme......

The other problem is that you never really know what kind of services you need. If you make it encrypted, you have a way to start and you can delete the protocols afterwords....
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question