Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows Firewall Problem on Server 2008 exchange and domain controllers.

Posted on 2011-03-22
4
Medium Priority
?
359 Views
Last Modified: 2012-05-11
Starting Thursday last week i've had to disable the firewall on all of my servers.  Problem started when my BES couldn't connect to exchange mailstore.  I tried everything, replacing network card, switch, changing IP address, etc.  I finally just for the heck of it tried disabling the firewall on exchange and boom all was working.  I then started having issues with my exchange server not getting global policy updates.  Scratched my head and did some searching for those problems, nothing worked, I then disabled the firewall on my domain controller and like before all is working.  Any idea if there was an update last week that changed windows firewall as i can't think of anything i changed that would have caused this.  I'm not sure on the security risks but having the firewall disabled can't be that good.
0
Comment
Question by:Optronomega
  • 2
4 Comments
 
LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 664 total points
ID: 35197551
the firewall is only protecting you from internal threats as hopefully you have a border firewall?
0
 
LVL 29

Accepted Solution

by:
pwindell earned 1336 total points
ID: 35198496
The only thing I have ever done and ever will do with the Windows Firewall,...is get rid of it,...the same thing with any 3rd party version of the same (I'm impartial)
0
 

Author Comment

by:Optronomega
ID: 35200152
Yes we have a border firewall.  Issue i have is we have 15 or so satellite locations across 3 states connected through vpn.  Our internal network is only as secure as our least secure point and i don't exactly trust all of our employees as most are actually contractors.  I could probably block most ports between the vpn connections although i don't know what needs to be open to allow for domain traffic on satellite computers.  I already have their wan access restricted to port 80, 53, and 443.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1336 total points
ID: 35200377
Blocking ports isn't even a "real" solution anyway.  Most problems (infections, whatever) operate over common standard ports that you just simply will not be able to restrict.  Even if you restricted it to only one destiantion on your LAN,...that one Destiantion gets infected,...and that becomes the new "starting point" for the infection and it speads throughout the LAN unstoppable.  

You're going to have to look at some kind NAP System (Network Access Protection).  This would have to be built into the VPN Device (whether it is a firewall or dedicated device, or whatever).  Any product that can do that,...and do it correctly,... and seroiusly,... is going to be spelled "$$$$$".   It can also be very difficult to configure correctly (in 12 years I have never done one yet) so it is important to be purchased from a company that has excellent high grade quality Support, because they may have to do most of the work for you.

In the end,...VPN is just not a good solution any longer.  The safer way is an Application Gateway that virtualizes the needed Application and presents it to the user. This way the users are only [remotely] running an Application and not really "accessing a machine",...they don't even really enter the LAN because the solution brings the Application to the user.  Microsoft Forefront UAG is one such product,...I believe Citrix has a similar solution,...and there are probably others out there too.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question