[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Computer Active directory behind firewall

Posted on 2004-04-02
6
Medium Priority
?
1,462 Views
Last Modified: 2013-11-16
This is the Scenario:

Workstation:
Windows 2000 SP4
Outlook 2000/XP/2003

Firewall:
Checkpoint Firewall One NG FP3

Domain Controller and Mail server:
Windows 2000 Server SP4.
MS Exchange 2000 SP3.

The needs:
Create a secure rule so i be able to:
Install workstation.
Join to the domain.
Configure outlook and have conectivity with the exchange server.
Login to the domain.
Use the server as a File and Print server.

Thanks.



 
0
Comment
Question by:maximilianoozyilmaz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10740074
Why not simply make a VPN connection to the Firewall (you'd need the VPN-1 addon) from the workstation?

That would give you all the security and access to the network you'd need.

See if you have any Checkpoint VPn clients already. If you do then just install the VPN client on the workstation and then make the VPN connection to the Checkpoint Firewall/VPN.

If not then look to buying the licenses required for a Checkpoint reseller.
0
 

Author Comment

by:maximilianoozyilmaz
ID: 10740142
You are telling me that there is no way i can do this without using VPN clients?
The security is because i don't trust the workstations...  :O)
If i give them a VPN connection is the same if i have a rule:

Source               Dest.       service           Accion
Wokstations --> server -->    any      -->  accept



0
 
LVL 20

Expert Comment

by:What90
ID: 10740298
You could do it by fixed ip addresses, however it leaves you wide open to a number of nasties that way. With the vpn client at least you know and can control access times and numbers.

Yep, the rule is correct, you can also deny them access to other servers/subnets if you feel inclinded that way too.

0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:maximilianoozyilmaz
ID: 10740470
the workstation have static ips.
I need to know what services i have to open to those workstations for them only to use the exchange, the domain(dns, etc.) and file and print sharings services.
0
 
LVL 11

Assisted Solution

by:billwharton
billwharton earned 400 total points
ID: 10740827
Add in the following services to your checkpoint. For Exchange ports - outlook, refer to this document:
http://support.microsoft.com/default.aspx?scid=kb;en-us;278339

TCP 25 SMTP
UDP/TCP 53  DNS
TCP 80 HTTP  
TCP 110 POP3
UDP/TCP 389  LDAP  
UDP/TCP 500  ISAKMP/Oakley negotiation traffic (IPSec)  
UDP/TCP 636  LDAP (over TLS/SSL)  
UDP 88  Kerberos  
UDP/TCP 750, 751  Kerberos Authentication  
UDP 752  Kerberos Password Server  
UDP 753  Kerberos User Registration Server  
TCP 522  User Location Store  
TCP 754  Kerberos Slave Propagation  
TCP 888  Logon and Environment Passing
TCP 1433 SQL  
TCP Dynamic  Directory Replication  
TCP 2053  Kerberos de-multiplexor (Kerberos V4)  
TCP 2105  Kerberos encrypted login  
TCP 3268  Global Catalog  
TCP 3269  Global Catalog  
TCP 3389 RDP
0
 
LVL 23

Accepted Solution

by:
rhandels earned 1600 total points
ID: 10751908
I would't open these ports. If you do this, even if the workstations have fixed ip adresses, you still have a security hole...

If you install Secure Client NG you can add a rule like this

Secure Clients  --> Mail server --> Allowed Protocols --> Encrypted.

If you are using Checkpoint (still the best firewall there is...) then try using it's features. It works like a charme......

The other problem is that you never really know what kind of services you need. If you make it encrypted, you have a way to start and you can delete the protocols afterwords....
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question