Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows Firewall Problem on Server 2008 exchange and domain controllers.

Posted on 2011-03-22
4
Medium Priority
?
358 Views
Last Modified: 2012-05-11
Starting Thursday last week i've had to disable the firewall on all of my servers.  Problem started when my BES couldn't connect to exchange mailstore.  I tried everything, replacing network card, switch, changing IP address, etc.  I finally just for the heck of it tried disabling the firewall on exchange and boom all was working.  I then started having issues with my exchange server not getting global policy updates.  Scratched my head and did some searching for those problems, nothing worked, I then disabled the firewall on my domain controller and like before all is working.  Any idea if there was an update last week that changed windows firewall as i can't think of anything i changed that would have caused this.  I'm not sure on the security risks but having the firewall disabled can't be that good.
0
Comment
Question by:Optronomega
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 664 total points
ID: 35197551
the firewall is only protecting you from internal threats as hopefully you have a border firewall?
0
 
LVL 29

Accepted Solution

by:
pwindell earned 1336 total points
ID: 35198496
The only thing I have ever done and ever will do with the Windows Firewall,...is get rid of it,...the same thing with any 3rd party version of the same (I'm impartial)
0
 

Author Comment

by:Optronomega
ID: 35200152
Yes we have a border firewall.  Issue i have is we have 15 or so satellite locations across 3 states connected through vpn.  Our internal network is only as secure as our least secure point and i don't exactly trust all of our employees as most are actually contractors.  I could probably block most ports between the vpn connections although i don't know what needs to be open to allow for domain traffic on satellite computers.  I already have their wan access restricted to port 80, 53, and 443.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1336 total points
ID: 35200377
Blocking ports isn't even a "real" solution anyway.  Most problems (infections, whatever) operate over common standard ports that you just simply will not be able to restrict.  Even if you restricted it to only one destiantion on your LAN,...that one Destiantion gets infected,...and that becomes the new "starting point" for the infection and it speads throughout the LAN unstoppable.  

You're going to have to look at some kind NAP System (Network Access Protection).  This would have to be built into the VPN Device (whether it is a firewall or dedicated device, or whatever).  Any product that can do that,...and do it correctly,... and seroiusly,... is going to be spelled "$$$$$".   It can also be very difficult to configure correctly (in 12 years I have never done one yet) so it is important to be purchased from a company that has excellent high grade quality Support, because they may have to do most of the work for you.

In the end,...VPN is just not a good solution any longer.  The safer way is an Application Gateway that virtualizes the needed Application and presents it to the user. This way the users are only [remotely] running an Application and not really "accessing a machine",...they don't even really enter the LAN because the solution brings the Application to the user.  Microsoft Forefront UAG is one such product,...I believe Citrix has a similar solution,...and there are probably others out there too.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question