• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 363
  • Last Modified:

Windows Firewall Problem on Server 2008 exchange and domain controllers.

Starting Thursday last week i've had to disable the firewall on all of my servers.  Problem started when my BES couldn't connect to exchange mailstore.  I tried everything, replacing network card, switch, changing IP address, etc.  I finally just for the heck of it tried disabling the firewall on exchange and boom all was working.  I then started having issues with my exchange server not getting global policy updates.  Scratched my head and did some searching for those problems, nothing worked, I then disabled the firewall on my domain controller and like before all is working.  Any idea if there was an update last week that changed windows firewall as i can't think of anything i changed that would have caused this.  I'm not sure on the security risks but having the firewall disabled can't be that good.
0
Optronomega
Asked:
Optronomega
  • 2
3 Solutions
 
Glen KnightCommented:
the firewall is only protecting you from internal threats as hopefully you have a border firewall?
0
 
pwindellCommented:
The only thing I have ever done and ever will do with the Windows Firewall,...is get rid of it,...the same thing with any 3rd party version of the same (I'm impartial)
0
 
OptronomegaAuthor Commented:
Yes we have a border firewall.  Issue i have is we have 15 or so satellite locations across 3 states connected through vpn.  Our internal network is only as secure as our least secure point and i don't exactly trust all of our employees as most are actually contractors.  I could probably block most ports between the vpn connections although i don't know what needs to be open to allow for domain traffic on satellite computers.  I already have their wan access restricted to port 80, 53, and 443.
0
 
pwindellCommented:
Blocking ports isn't even a "real" solution anyway.  Most problems (infections, whatever) operate over common standard ports that you just simply will not be able to restrict.  Even if you restricted it to only one destiantion on your LAN,...that one Destiantion gets infected,...and that becomes the new "starting point" for the infection and it speads throughout the LAN unstoppable.  

You're going to have to look at some kind NAP System (Network Access Protection).  This would have to be built into the VPN Device (whether it is a firewall or dedicated device, or whatever).  Any product that can do that,...and do it correctly,... and seroiusly,... is going to be spelled "$$$$$".   It can also be very difficult to configure correctly (in 12 years I have never done one yet) so it is important to be purchased from a company that has excellent high grade quality Support, because they may have to do most of the work for you.

In the end,...VPN is just not a good solution any longer.  The safer way is an Application Gateway that virtualizes the needed Application and presents it to the user. This way the users are only [remotely] running an Application and not really "accessing a machine",...they don't even really enter the LAN because the solution brings the Application to the user.  Microsoft Forefront UAG is one such product,...I believe Citrix has a similar solution,...and there are probably others out there too.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now