From: vtlists@wyae.de
Date: Fri Apr 13 2007 - 05:58:34 EDT
Thomas W Shinder writes:
> This is WRONG. If you have a true application layer inspection firewall
> like the ISA firewall, a single "port" is required.
Leaving lots of trollbait aside:
Portfiltering SMTP, POP3, IMAP, HTTP, HTTPS is a no-brainer. Thus we'll
leave that as home exercise for the student. ;-)
The tricky part of portfiltering MSX is to allow MS-RPC port (tcp/135) and
the according "high ports". This can be done
1.) by using a firewall that has a state engine for MS-RPCs.
This applies for the newer MS-ISAs, CheckPoint and experimental
Linux netfilter extensions. Please add if you know more.
2.) by allowing tcp/1024-65535 in both directions.
This is not really recommended as that "hole" is a quite big
3.) by allowing a few selected high ports.
MSX can be limited to which port range to use. That requires a few
registry settings:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters
Name: TCP/IP port
Value: REG_DWORD (the port number > 1023)
Name: TCP/IP NSPI port
Value: REG_DWORD (the port number > 1023)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
Name: TCP/IP port
Value: REG_DWORD (the port number > 1023)
You may also need to add
* UDP/TCP 53 (DNS)
* UDP/TCP 88 (Kerberos authentication)
* UDP/TCP 389 (LDAP Access)
* TCP 445 (Microsoft Directory Service)
* TCP 3268 (LDAP to global catalog servers)
This is for generic access. For newer MSX installations you can try to use
Microsoft's RPC-over-HTTP proxy instead - which will obviously needs HTTP(S)
i.e. tcp/80 (443).
Bye
Volker
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:43 EDT