Solved

Computer Active directory behind firewall

Posted on 2004-04-02
6
1,439 Views
Last Modified: 2013-11-16
This is the Scenario:

Workstation:
Windows 2000 SP4
Outlook 2000/XP/2003

Firewall:
Checkpoint Firewall One NG FP3

Domain Controller and Mail server:
Windows 2000 Server SP4.
MS Exchange 2000 SP3.

The needs:
Create a secure rule so i be able to:
Install workstation.
Join to the domain.
Configure outlook and have conectivity with the exchange server.
Login to the domain.
Use the server as a File and Print server.

Thanks.



 
0
Comment
Question by:maximilianoozyilmaz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10740074
Why not simply make a VPN connection to the Firewall (you'd need the VPN-1 addon) from the workstation?

That would give you all the security and access to the network you'd need.

See if you have any Checkpoint VPn clients already. If you do then just install the VPN client on the workstation and then make the VPN connection to the Checkpoint Firewall/VPN.

If not then look to buying the licenses required for a Checkpoint reseller.
0
 

Author Comment

by:maximilianoozyilmaz
ID: 10740142
You are telling me that there is no way i can do this without using VPN clients?
The security is because i don't trust the workstations...  :O)
If i give them a VPN connection is the same if i have a rule:

Source               Dest.       service           Accion
Wokstations --> server -->    any      -->  accept



0
 
LVL 20

Expert Comment

by:What90
ID: 10740298
You could do it by fixed ip addresses, however it leaves you wide open to a number of nasties that way. With the vpn client at least you know and can control access times and numbers.

Yep, the rule is correct, you can also deny them access to other servers/subnets if you feel inclinded that way too.

0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 

Author Comment

by:maximilianoozyilmaz
ID: 10740470
the workstation have static ips.
I need to know what services i have to open to those workstations for them only to use the exchange, the domain(dns, etc.) and file and print sharings services.
0
 
LVL 11

Assisted Solution

by:billwharton
billwharton earned 100 total points
ID: 10740827
Add in the following services to your checkpoint. For Exchange ports - outlook, refer to this document:
http://support.microsoft.com/default.aspx?scid=kb;en-us;278339

TCP 25 SMTP
UDP/TCP 53  DNS
TCP 80 HTTP  
TCP 110 POP3
UDP/TCP 389  LDAP  
UDP/TCP 500  ISAKMP/Oakley negotiation traffic (IPSec)  
UDP/TCP 636  LDAP (over TLS/SSL)  
UDP 88  Kerberos  
UDP/TCP 750, 751  Kerberos Authentication  
UDP 752  Kerberos Password Server  
UDP 753  Kerberos User Registration Server  
TCP 522  User Location Store  
TCP 754  Kerberos Slave Propagation  
TCP 888  Logon and Environment Passing
TCP 1433 SQL  
TCP Dynamic  Directory Replication  
TCP 2053  Kerberos de-multiplexor (Kerberos V4)  
TCP 2105  Kerberos encrypted login  
TCP 3268  Global Catalog  
TCP 3269  Global Catalog  
TCP 3389 RDP
0
 
LVL 23

Accepted Solution

by:
rhandels earned 400 total points
ID: 10751908
I would't open these ports. If you do this, even if the workstations have fixed ip adresses, you still have a security hole...

If you install Secure Client NG you can add a rule like this

Secure Clients  --> Mail server --> Allowed Protocols --> Encrypted.

If you are using Checkpoint (still the best firewall there is...) then try using it's features. It works like a charme......

The other problem is that you never really know what kind of services you need. If you make it encrypted, you have a way to start and you can delete the protocols afterwords....
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…

731 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question