Solved

Windows Firewall Problem on Server 2008 exchange and domain controllers.

Posted on 2011-03-22
4
356 Views
Last Modified: 2012-05-11
Starting Thursday last week i've had to disable the firewall on all of my servers.  Problem started when my BES couldn't connect to exchange mailstore.  I tried everything, replacing network card, switch, changing IP address, etc.  I finally just for the heck of it tried disabling the firewall on exchange and boom all was working.  I then started having issues with my exchange server not getting global policy updates.  Scratched my head and did some searching for those problems, nothing worked, I then disabled the firewall on my domain controller and like before all is working.  Any idea if there was an update last week that changed windows firewall as i can't think of anything i changed that would have caused this.  I'm not sure on the security risks but having the firewall disabled can't be that good.
0
Comment
Question by:Optronomega
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 166 total points
ID: 35197551
the firewall is only protecting you from internal threats as hopefully you have a border firewall?
0
 
LVL 29

Accepted Solution

by:
pwindell earned 334 total points
ID: 35198496
The only thing I have ever done and ever will do with the Windows Firewall,...is get rid of it,...the same thing with any 3rd party version of the same (I'm impartial)
0
 

Author Comment

by:Optronomega
ID: 35200152
Yes we have a border firewall.  Issue i have is we have 15 or so satellite locations across 3 states connected through vpn.  Our internal network is only as secure as our least secure point and i don't exactly trust all of our employees as most are actually contractors.  I could probably block most ports between the vpn connections although i don't know what needs to be open to allow for domain traffic on satellite computers.  I already have their wan access restricted to port 80, 53, and 443.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 334 total points
ID: 35200377
Blocking ports isn't even a "real" solution anyway.  Most problems (infections, whatever) operate over common standard ports that you just simply will not be able to restrict.  Even if you restricted it to only one destiantion on your LAN,...that one Destiantion gets infected,...and that becomes the new "starting point" for the infection and it speads throughout the LAN unstoppable.  

You're going to have to look at some kind NAP System (Network Access Protection).  This would have to be built into the VPN Device (whether it is a firewall or dedicated device, or whatever).  Any product that can do that,...and do it correctly,... and seroiusly,... is going to be spelled "$$$$$".   It can also be very difficult to configure correctly (in 12 years I have never done one yet) so it is important to be purchased from a company that has excellent high grade quality Support, because they may have to do most of the work for you.

In the end,...VPN is just not a good solution any longer.  The safer way is an Application Gateway that virtualizes the needed Application and presents it to the user. This way the users are only [remotely] running an Application and not really "accessing a machine",...they don't even really enter the LAN because the solution brings the Application to the user.  Microsoft Forefront UAG is one such product,...I believe Citrix has a similar solution,...and there are probably others out there too.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question