Check Point 1000n Setup

Fig68
Fig68 used Ask the Experts™
on
Hello Experts I'm in need for some advice for setting up a new firewall (Check Point 1000n) to replace a smoothwall firewall. As of last night when I had it hooked up I was able to get internet and email but couldn't get our smartphones to sync with the server and connect to the RDP from outside of our lan. I do have port 4125 open but do I need to open port 3389 as well?
one other qusetion about a setting on the smoothwall. Under the Source IP theres "any",Destination port "any" and Destination IP "my server's ip". Now I'm new to firewalls but with is setting enabled is my firewall "open" on all ports? If so what would the previous IT guy set it up that way?

Thanks again for your help on this
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Hi,

Firstly to connect using "pure" RDP you will indeed need 3389 open, but if you're using the remote web workplace feature then 4125 should suffice. There can be a few different reasons why this is not connecting, check http://support.microsoft.com/kb/886209 for an example.

You may want to reconsider how this is implemented as exposing your desktop over the internet is not really a good idea - it could allow attackers to try and brute force the account or, if you have a lockout policy e.g. 3 wrong passwords and the account gets locked out for 24 hours, then they could effectively perform a denial-of-service attack, leaving you without connctivity.

A better implementation for this would be to have people VPN into the firewall where they would be authenticated and be assigned an internal IP address and once this condition is satisfied they can then connect to the RDP "internally".

Secondly, your firewall rule: is it an internal IP or external specified? If it is an external IP that your server is NATed behind then this seems to be a rather dangerous rule as it will allow anyone on the internet to connect to any open port on your server. If it is the internal ip, e.g. 10.x.x.x, 192.x.x.x etc, then ony internal machines will be able to access open ports on the computer - also not an ideal situation but at least it's not accessible from outside. It's better to lock this down to only the destination ports which are necessary.

HTH

Author

Commented:
grimkin,

Thank you for your reply. Its the red interface so its external.I will disable that right away. What about the smartphones not syncing with the server any port I need to open for that or should 4125 be ok? I will implement the VPN policy over the RDP.

Commented:
Hi,

Could you please describe what smartphones you are using, what they are syncing and using which software?

Thanks

Author

Commented:
grimkin,

We have 7 Iphones and 1 Droid 2 They are syncing email,calender & contacts no software phones sync directly to the server. Under account info on the phone it asks for the email address, server, domain, username, username and asks if we use SSL.

Thanks again

Author

Commented:
Thank you for your time Got it running

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial