Re: help - PIX translation and ports question

---

• From: roberson@xxxxxxxxxxxx (Walter Roberson)
• Date: Mon, 03 Apr 2006 22:41:27 GMT

---

In article <1144090245.053669.307220@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
Mike_B <boeckelr@xxxxxxxxx> wrote:

My company just got a PIX 506E

The PIX sits in front of our LAN....nothing else is behind it. Our web
and mailserver are at our ISP.

We are switching to Exchange, also being hosted at our ISP.

What exactly do I have to do to create an ACL that will allow this
traffic {TCP 135 and 139 and UDP 137 and 138 (and whatever other ports
I need to open)} from 64.74.74.31 into my network?

Pix 6.3(5) PDM 3.0(4)

I notice that you list the NETBIOS ports but do not list the LDAP
ports. That suggests that you will be using the older Exchange 2000
rather than the newer Exchange 2003. I never really had a chance to
test out the flows for a properly configured remote Exchange 2003
server, but I have had... "interesting times"... with PIX and Exchange 2000.

Is PAT screwing me up?

If you are a Microsoft devotee, then YES, whatever does not work with
a Microsoft product is Broken. But for the rest of the world,
accustomed to standards and objective security, the answer would be NO,
that it is Exchange 2000 which is screwed up.


In my experience (and I pushed at the matter), unless you have
really good Exchange server administrators that know just how to tweak
the product, what you need to do to access a remote Exchange 2000
server is as follows:

- Use static public IPs for all of your hosts that will need access
- Use a WINS server that both sides will have access to (e.g., the
Exchange server itself)
- configure your PIX to allow ALL traffic from the Exchange server,
and ALL traffic to the Exchange server. (You might be able to get away
with blocking -some- of ports below 1024 though.)

Unless the Exchange server is carefully nailed down, attempting to
restrict the connection to only a "sane" subset of the ports is doomed
to failure. If you restrict the ports sanely, most of the time you won't
even be able to figure out -what- failed. but you will be able to
see from the detailed PIX logs that -something- was blocked.

Exchange 2000 Server *will* attempt to connect back to arbitrary ports
on your client. And it will keep trying to attempt to connect to that
arbitrary port about every 15 minutes for about 10 days solid. If you
trace back through the logs, you will find that that arbitrary port was
one that the client once used to talk to the server... anywhere from 10
minutes to 2 months earlier. And you will find that some of those
previous conversations were -outgoing- TCP connections that originally
lasted perhaps 2 seconds and were properly closed down at the time...
but weeks later the server will expect the client to be reachable
-incoming- at that same IP + port. Ignorning the PAT and stateful
firewall issues that raises, what sane programmer would expect a
Windows PC client to stay up for more than a day at a time? Even if
Windows hasn't crashed by itself and even if the anti-virus program
doesn't require a reboot in order to try to catch the Malware Of The
Hour, one should expect that the user might have turned off the
computer overnight...

Then there are the strange interactions with RPC translations and
adaptive security...

Do not rely upon Microsoft's list of ports you need to open.
In practice, there are -many- more ports you will need. ("Oh, that
undocumented port you found isn't used specially by Exchange itself, it
is used by the infrastructure layers that Exchange is built on!")


Now, there are some people who disagree with me and believe the
Exchange is perfectly secureable. In particular, Leythos over in
the firewalls newsgroup claims that his company has implemented such
configurations often. As best I can tell, though, in each case his
company had the freedom to configure the Exchange server.
.

---

• Follow-Ups:
  • Re: help - PIX translation and ports question
    • From: Mike_B

• References:
  • help - PIX translation and ports question
    • From: Mike_B

• Prev by Date: Re: EIGRP and split-horizon
• Next by Date: Re: help - PIX translation and ports question
• Previous by thread: help - PIX translation and ports question
• Next by thread: Re: help - PIX translation and ports question
• Index(es):
  • Date
  • Thread

---

Relevant Pages OWA Setup - HELP PLS ... running Exchange Server 2000...all of these articles ... I don't have the "exact" registry key...I have ... >Access to connect to Microsoft Exchange Server ... two ports need to be statically mapped. ... (microsoft.public.exchange2000.setup.installation) Re: Outlook Problem with Exchange ... Exchange server that we can test with? ... The connection to the GC for Directory access, ... ports, see what ports the Information store is listening on etc, etc.. ... connect to the Exchange Server), nor can they RDP to the Exchange ... (microsoft.public.exchange.applications) Re: More Ports to Open? ... Outlook uses RPC to talk to an Exchange server. ... While it is possible to statically map all the necessary ports for Outlook ... 833401 How to configure RPC over HTTP on a single server in Exchange Server ... (microsoft.public.exchange.connectivity) OWA Setup - HELP PLS ... How to Configure OWA to Connect to Exchange Through ... through a firewall. ... two ports need to be statically mapped. ... (microsoft.public.exchange2000.setup.installation) Re: Comcast blocks Exchange - any way around this? ... They do block ports 135-139... ... Outlook connecting directly to the Exchange server (I have never implemented ... "Why can't I get my Microsoft Exchange E-mail? ... > worm, Comcast has temporarily shut down access to ports 135 and 445. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)