Solved

Windows Firewall Problem on Server 2008 exchange and domain controllers.

Posted on 2011-03-22
4
354 Views
Last Modified: 2012-05-11
Starting Thursday last week i've had to disable the firewall on all of my servers.  Problem started when my BES couldn't connect to exchange mailstore.  I tried everything, replacing network card, switch, changing IP address, etc.  I finally just for the heck of it tried disabling the firewall on exchange and boom all was working.  I then started having issues with my exchange server not getting global policy updates.  Scratched my head and did some searching for those problems, nothing worked, I then disabled the firewall on my domain controller and like before all is working.  Any idea if there was an update last week that changed windows firewall as i can't think of anything i changed that would have caused this.  I'm not sure on the security risks but having the firewall disabled can't be that good.
0
Comment
Question by:Optronomega
  • 2
4 Comments
 
LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 166 total points
ID: 35197551
the firewall is only protecting you from internal threats as hopefully you have a border firewall?
0
 
LVL 29

Accepted Solution

by:
pwindell earned 334 total points
ID: 35198496
The only thing I have ever done and ever will do with the Windows Firewall,...is get rid of it,...the same thing with any 3rd party version of the same (I'm impartial)
0
 

Author Comment

by:Optronomega
ID: 35200152
Yes we have a border firewall.  Issue i have is we have 15 or so satellite locations across 3 states connected through vpn.  Our internal network is only as secure as our least secure point and i don't exactly trust all of our employees as most are actually contractors.  I could probably block most ports between the vpn connections although i don't know what needs to be open to allow for domain traffic on satellite computers.  I already have their wan access restricted to port 80, 53, and 443.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 334 total points
ID: 35200377
Blocking ports isn't even a "real" solution anyway.  Most problems (infections, whatever) operate over common standard ports that you just simply will not be able to restrict.  Even if you restricted it to only one destiantion on your LAN,...that one Destiantion gets infected,...and that becomes the new "starting point" for the infection and it speads throughout the LAN unstoppable.  

You're going to have to look at some kind NAP System (Network Access Protection).  This would have to be built into the VPN Device (whether it is a firewall or dedicated device, or whatever).  Any product that can do that,...and do it correctly,... and seroiusly,... is going to be spelled "$$$$$".   It can also be very difficult to configure correctly (in 12 years I have never done one yet) so it is important to be purchased from a company that has excellent high grade quality Support, because they may have to do most of the work for you.

In the end,...VPN is just not a good solution any longer.  The safer way is an Application Gateway that virtualizes the needed Application and presents it to the user. This way the users are only [remotely] running an Application and not really "accessing a machine",...they don't even really enter the LAN because the solution brings the Application to the user.  Microsoft Forefront UAG is one such product,...I believe Citrix has a similar solution,...and there are probably others out there too.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question