Web, Exchange Server Behind Hardware Firewall

I have a Web Server, Exchange Server 2000 and my DNS server running on
the same box and it is connected to my ISP . Right now I have a
software firewall installed on this machine but I want to do away with
it and put a Symantec Hardware Firewall instead, so now my config will
look like:
ISP ---------> Firewall ---------> Web Server/Exchange
Server/DNS Server
My question is what ports do I need to open on the firewall and also
what changes do I need to make to the MX and A records in the DNS
server.
Since Exchange Server allocates dynamic ports for each client
connection , how do I handle it.
TIA
Ravi
Reply to
Ravi
Loading thread data ...
Leythos,
Thanks for your reponse . My web server/exchange server is sitting outside our corporate firewall , so we never access Exchange Sever through Internal LAN. Also please give me some info on DNS entry changes.
Ravi
Reply to
Ravi
Assuming that you access the Exchange server via your INTERNAL LAN, and assuming that the Exchange server is your only server, then the following would be true:
HTTP (80) to web server services, but not Outlook Web Access HTTPS (443) to Outlook Web Access Service (requires SSL) SMTP (25) to Exchange Service
Do not let users connect to OWA using HTTP, leave that for your public web sites. Setup OWA for SSL access only.
Reply to
Leythos
I would need more info, but here's my assumptions:
PUBLIC IP | Firewall | | | | | ---- DMZ --- SWITCH-1 | LAN | SWITCH-2
Now, the DMZ is using a NAT scheme, 192.168.10.0/24 The LAN is using a NAT scheme, 192.168.16.0/24
The web server and exchange server are allocated 192.168.10.x + .y
The DNS server, I'm assuming that it's for your internal network and is not hosting your PUBLIC DNS records.
The DNS Server should be in the LAN and you will need to setup domains for your public addresses - meaning that if you use MyCompany.Com, then you will create a zone called MyCompany.Com and enter the PRIVATE addresses in it for the Web server and the Exchange server. Then, since it's in your LAN, your client workstations should use it for their DNS (don't forget to setup FORWARDING) and it will resolve the private names for your web/exchange servers.
I really need to know more in order to not have to guess.
Reply to
Leythos
SHIIIIIIIIIIIIT!!
Reply to
Mike
Leythos,
The DNS server is hosting my public records. The network config is :
Public IP1 ------> Firewall1 ------------> Corporate INET
My corporate network is set fine and running
Public IP2 ------> Firewall2 | 192.168.0.1 I | 192.168.0.2 DNS SERVER/Exchange Server/Web Server
Now I am intoducing Hardware firewall2 for my Exchange , public DNS server and Web server. Earlier I had a software firewall running on this server. This server is a stand alone server and is not connected to my internal network directly. I hope this gives you a good idea of what I am trying to do.
Reply to
Ravi
Leythos,
I have bought Symantec 360 Security Gateway Firewall and it does not allow me to put same ip on the two interfaces, infact it is not even allowing me to put two different IPs on the same mask.
Reply to
Ravi
Why not just implement DROP-IN mode where the firewall has the SAME IP on both sides of the network - public assigned to both sides, then you don't have to worry about anything - you just map rules between ip:ip?
Reply to
Leythos
Un fortunately, I'm not a Symantec type chap, so I can't help. I would suggest that you contact them, send them your network plan, and ask them what they would suggest. If you are under contract with them, then they should be able to help.
I can't help without knowing your network, and each time you post I only learn a little more, and it's not enough.
Reply to
Leythos
If you want to have the same subnet on both the LAN and a WAN side, you have to disable NAT first (it doesn't make sense with the same subnet on both sides):
Firewall -> Advanced -> Disable NAT Mode.
On the other hand, if you do this, you won't have any NAT routing for the other WAN port either, and if I understood your broken diagram correctly, you'd want that.
My guess is that you should hire a networking person who can design a solution for you, and that the Symantec 360 should go back to the store -- it's really not meant for this, but for load balancing/failover operations with VPN functionality.
Regards,
Reply to
Arthur Hagen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.