1. Home
  2. Networking Firewalls
  3. probably a simple pinhole / deployment question...

probably a simple pinhole / deployment question...

I'm new to this, so if my plan is incorrect please let me know...

I am deploying my first firewall, I plan to put my webserver, name servers, and mail server in the DMZ (orange) and my workstations, mail filter, and exchange server (SBS with Domain control) in the LAN (green).

I already tried this once, but I'm starting over after being unable to completely understand what pinholes need to be open between the Windows based web server and the domain controller so that I can log into the web server via remote desktop or access the web server's shared folders. I looked around online and it seems like there are all kinds of ports that Windows uses, but I don't want to open them all unless I have to.

Also, does anyone know of a way to allow for Outlook Web Access with this configuration, or will I have to move my Exchange server (SBS) into the DMZ?

I'm using IPCop now, but may move to a M0n0wall

I'm here to learn - if I'm doing something moronic please let me know in a manner that allows me to do so. Thanks,

Richard

Reply to
rjvalenta
Loading thread data ...

Just for clarification: You want to the DNS part of the AD for the internal network at the Domain controller rather than at the nameserver at the DMZ? Anything else would be stupid.

A Windows-based webserver generally is a bad idea, especially when you're thing of IIS+ASP instead of WAMP.

but you only want RDP which is well documented to be using 3389/TCP and sometimes HTTP on 80/TCP. Remote file access can be done via SMB shares (NetBIOS on 137-139/TCP+UDP and/or SMB at 445/TCP), FTP or HTTP/WebDAV. What is RTFM?

Why do want to OWA and can't you think of some serious alternative that is not inherently insecure?

Reply to
Sebastian Gottschalk

....i guess a better question would be - on what port does a workstation/server communicate with the domain controller to verify my user information and allow me access? when i use RDP now, it takes FOREVER to get in, kinda like its using cached credentials.

Reply to
rjvalenta

Depends on your authentication. You can do NTLM via NetBIOS and SMB, but you can also do Kerberos or direct-supplied credentials.

Anyway, shouldn't your firewall omit some useful logging?

Reply to
Sebastian Gottschalk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.