Trend Micro and Firewalls

Hi. I am in the process of installing Trend Micro Client Server Messaging Security for SMB on my SBS 2003 Standard Edition R2. It's a little more complicated than I thought, so I am reading the 332 page manual carefully. I am a bit confused when it comes to the firewall part.

As you know, the CSMS for SMB comes with its own firewall, Personal Firewall. The manual recommends disabling the firewalls which come with Windows or disabling Personal Firewall and opening the correct ports and exceptions in Windows' firewalls. From what I can gather, the Personal Firewall seems more robust. Of course, I know these are all software firewalls. I have a hardware firewall in place.

My question is the manual made reference to the SBS Internet Connection Firewall, which is enabled. But, when I looked in group policy, it showed that firewall as well as the SBS Windows Firewall (Server). There is also the Windows Firewall which is located on each client machine. So, do I disale all of them. Or just the Internet Connection Firewall?

Thanks

Bert
LVL 1
Bert2005Asked:
Who is Participating?
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Bert,

I always disable the TrendMicro Firewall.  Since SBS has a nicely configured group policy that manages the Windows Firewall on workstations, I find that it's just much easier to manage and does the job.

There are TWO Group Policies listed on the server's GPMC: The SBS Internet Connection Firewall and the SBS Windows Firewall.  Both of these are actually to manage the Windows XP Firewall.  Notice in the WMI filter column one says PreSP2 and the other PostSP2.

The SBS Internet Connection Firewall, even though it's enabled doesn't actually apply to anything anymore.  It's the SBS Windows Firewall policy that's now managing the XP SP2 firewalls.

I'd say don't disable either of those... disable the TrendMicro Personal Firewall Service instead.


Jeff
TechSoEasy
0
 
static-voidCommented:
The firewall in TMCSM is built into the officescan agent so you should disable your local firewalls on all protected pcs if your going to use the TM one. However i personally would just stick to the windows firewall, it works fine and is easier to centrally manage
0
 
static-voidCommented:
lol yeah ditto that
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
Bert2005Author Commented:
Well, it's good to have 100% agreement!

I can open a new question if you like, but this seems fairly related and only my last comment.

Would either of you recommend going with the Client Server Messaging Security version over the non-messaging version given the Exchange feature and the Vulnerability Assessment (whatever that does).

Also, are some antivirus programs not compatible with SBS 2003 or, more importantly, is Trend Micro made for SBS 2003? I looked at CA, but it was a little pricey.

Thanks guys.
0
 
static-voidCommented:
exchange feature is realllly useful i found. I use TMCSM on my network and its good to have an email level virus scan. It stops virusus before they even get presented to PCs. if at all possible you should have something in place to stop them at the server level. Im not sure about the SMB thing, talk to your trend rep. I use it on actual exchange but i imagine given its a smb product it will work on SMB
0
 
Bert2005Author Commented:
Thanks static. Appreciate the help. And, it's good to know that you use it and like it.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Bert,

I ONLY use TrendMicro CSM for all of my SBS installations.  It is definitely the most popular amongst the SBS MVP Community as well.  You definitely want CSM, not just the Client/Server version because you do need to have a proper Exchange AV program.

TrendMicro not only works well, it works without needing to ever see it once you've installed the program.  Plus, it is relatively cheap because they don't charge for the server license, just per "seat" (meaning, per workstation).

Jeff
TechSoEasy
0
 
Bert2005Author Commented:
Thanks Jeff. I will definitely go the CSM route.
0
 
Bert2005Author Commented:
So Jeff or static,

I am installing TrendMicro on the server. I will disable the TM's firewall and leave the Windows Firewall running on the clinets. What about the Windows Firewall on the server. I have standard edition and am not using ISA. If Windows Firewall is turned on on the server, then RRAS would need to be disabled correct?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I believe Trend Micro's Firewall is disabled by default... if you accept all the defaults when installing it.

You cannot turn on the Windows Firewall on an SBS.  RRAS is your firewall if you have TWO NICs, and if you only have a single NIC, there is NO firewall that is ON the server... instead you would use a hardware device for that.

Jeff
TechSoEasy
0
 
Bert2005Author Commented:
Thanks.
0
 
Bert2005Author Commented:
So with two NICs, you would use RRAS? But, what about ISA?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Assuming you have two NICs, when you run the CEICW it detects whether or not you have ISA Server installed and if not, it configures RRAS as the firewall.

Jeff
TechSoEasy
0
 
Bert2005Author Commented:
Thanks. I must have missed that comment. I still don't know why anyone would use two NICs without ISA, but I guess some do.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
If you don't have a strong firewall, then using two NICs can increase your security.  But the next version of SBS (SBS 2008) will only support a single NIC configuration and will not be coming with ISA Server as an option.  Overall, its generally better to have a good firewall device, such as a SonicWall TZ-series.

Jeff
TechSoEasy
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.