Solved

Computer Active directory behind firewall

Posted on 2004-04-02
6
1,434 Views
Last Modified: 2013-11-16
This is the Scenario:

Workstation:
Windows 2000 SP4
Outlook 2000/XP/2003

Firewall:
Checkpoint Firewall One NG FP3

Domain Controller and Mail server:
Windows 2000 Server SP4.
MS Exchange 2000 SP3.

The needs:
Create a secure rule so i be able to:
Install workstation.
Join to the domain.
Configure outlook and have conectivity with the exchange server.
Login to the domain.
Use the server as a File and Print server.

Thanks.



 
0
Comment
Question by:maximilianoozyilmaz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10740074
Why not simply make a VPN connection to the Firewall (you'd need the VPN-1 addon) from the workstation?

That would give you all the security and access to the network you'd need.

See if you have any Checkpoint VPn clients already. If you do then just install the VPN client on the workstation and then make the VPN connection to the Checkpoint Firewall/VPN.

If not then look to buying the licenses required for a Checkpoint reseller.
0
 

Author Comment

by:maximilianoozyilmaz
ID: 10740142
You are telling me that there is no way i can do this without using VPN clients?
The security is because i don't trust the workstations...  :O)
If i give them a VPN connection is the same if i have a rule:

Source               Dest.       service           Accion
Wokstations --> server -->    any      -->  accept



0
 
LVL 20

Expert Comment

by:What90
ID: 10740298
You could do it by fixed ip addresses, however it leaves you wide open to a number of nasties that way. With the vpn client at least you know and can control access times and numbers.

Yep, the rule is correct, you can also deny them access to other servers/subnets if you feel inclinded that way too.

0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:maximilianoozyilmaz
ID: 10740470
the workstation have static ips.
I need to know what services i have to open to those workstations for them only to use the exchange, the domain(dns, etc.) and file and print sharings services.
0
 
LVL 11

Assisted Solution

by:billwharton
billwharton earned 100 total points
ID: 10740827
Add in the following services to your checkpoint. For Exchange ports - outlook, refer to this document:
http://support.microsoft.com/default.aspx?scid=kb;en-us;278339

TCP 25 SMTP
UDP/TCP 53  DNS
TCP 80 HTTP  
TCP 110 POP3
UDP/TCP 389  LDAP  
UDP/TCP 500  ISAKMP/Oakley negotiation traffic (IPSec)  
UDP/TCP 636  LDAP (over TLS/SSL)  
UDP 88  Kerberos  
UDP/TCP 750, 751  Kerberos Authentication  
UDP 752  Kerberos Password Server  
UDP 753  Kerberos User Registration Server  
TCP 522  User Location Store  
TCP 754  Kerberos Slave Propagation  
TCP 888  Logon and Environment Passing
TCP 1433 SQL  
TCP Dynamic  Directory Replication  
TCP 2053  Kerberos de-multiplexor (Kerberos V4)  
TCP 2105  Kerberos encrypted login  
TCP 3268  Global Catalog  
TCP 3269  Global Catalog  
TCP 3389 RDP
0
 
LVL 23

Accepted Solution

by:
rhandels earned 400 total points
ID: 10751908
I would't open these ports. If you do this, even if the workstations have fixed ip adresses, you still have a security hole...

If you install Secure Client NG you can add a rule like this

Secure Clients  --> Mail server --> Allowed Protocols --> Encrypted.

If you are using Checkpoint (still the best firewall there is...) then try using it's features. It works like a charme......

The other problem is that you never really know what kind of services you need. If you make it encrypted, you have a way to start and you can delete the protocols afterwords....
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question