Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] How to allow Exchange access

To: [email protected]
Subject: Re: [FW-1] How to allow Exchange access
From: Raymond N <[email protected]>
Date: Thu, 11 Oct 2001 17:34:10 -0700
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

I know very well the article you are referring to, but that is not my
expectation.  I found a support article from Nokia that discuss this topic.
 It sounds like in the old day that is the option you have, but in newer
version this can be done at the "inspection level".  Here is part of the
support article:
---------------------------------
Nokia - Resolution 1149

FireWall-1 v4.1 SP4 and later
Check Point's release notes document that several DCE-RPC applications are
fully supported,
including MS Exchange Server v4.0, 5.0 and 5.5. If using an MS Exhange
Server v5.5, the v5.5 service
objects must be used in addition to the previous MS Exchange service objects.


FireWall-1 v4.0 to FireWall-1 v4.1 SP3
Support for Microsoft Exchange was considered "experimental". Most networks
were able to use the
new objects to support MS Exchange traffic, but some sites still had
problems. Such sites can either
implement the "Pre-version v4.0" workaround or upgrade to v4.1 SP4.

In FireWall-1 v4.0 and later, a set of services were added to support
Microsoft Exchange traffic. To
support clients connecting to Exchange server over the firewall, add the
service "MSExchange" to the
appropriate rules. Make sure you add this service explictly instead of
relying on the "any" service to catch it because it will not.

Pre-version v4.0
Microsoft Exchange uses TCP ports above 1024. The port used is defined in
the configuration of
Microsoft Exchange.

To configure FireWall-1 for use with Microsoft Exchange:


                       1.Define tcp service rpc-mapper on port 135.

                       2.Configure Microsoft Exchange server to use a
specific port(s) you choose (above 1024). This
                         may be done by modifying the registry on the
server machine (the machine running microsoft
                         Exchange) as follows:
.... skip....
-----------------


So, I am looking for the one people would use on v4.1 SP4 implementation.


-raymond


At 07:56 AM 10/11/01 +0200, you wrote:
>Hi Raymond,
>
>You have to configure Exchange to use predefined ports. You have to set this
>up in the registry. Check Microsoft support article Q148732 for the details.
>
>
>Good luck,
>
>Elmar van Mourik
>System and Networkmanagement ZHEW
>Tel: +31 78 6397 289
>Fax: +31 78 6139 212
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Raymond N [mailto:[email protected]]
>> Verzonden: donderdag 11 oktober 2001 2:47
>> Aan: [email protected]
>> Onderwerp: [FW-1] How to allow Exchange access
>>
>>
>> Hi there,
>>
>> I am using Firewall-1 4.1 SP4.  I want NT client workstation
>> in network-A
>> be able to access the MS Exchange server in network-B, where the CP
>> firewall is in between.  The Exchange server is v5.5.  No
>> network address
>> translation.
>>
>> I know that there is pre-defined services "MSExchange",
>> "MSExchange-v5.5",
>> "MSExchange-RemoteAdmin", "MSExchange-RemoteAdmin-v5.5" and
>> "MSExchange-SiteConnector".  What is needed in my situation?
>> And how the
>> rule(s) should look like?
>>
>> I try this:
>> source = network-a
>> destination = network-b
>> service = all MSExchange service defined above
>> action = accept
>>
>> It doesn't work.  From the log, I see that my client is
>> trying to talk to
>> the server on tcp port 2400, and is being dropped.  I suppose
>> using those
>> pre-defined resources can eliminate the need to open all the >1023 TCP
>> ports, isn't it?
>>
>> Please help.
>>
>> -raymond ([email protected])
>>
>>
>> ==============================================================
>> ==================
>>      To unsubscribe from this mailing list, please see the
>> instructions at
>>                http://www.checkpoint.com/services/mailing.html
>> ==============================================================
>> ==================
>>
>
>------------------------------
>Door de electronische verzending van het bericht kunnen er geen rechten
>ontleend worden aan de informatie. Als u deze e-mail onterecht heeft
>ontvangen, waarschuwt u dan de afzender via [email protected] en verwijder
>de gegevens van de computer.
>
>Zuiveringsschap Hollandse Eilanden en Waarden, Dordrecht
>tel: +31 (0)78 6397100
>fax: +31 (0)78 6311871
>web: http://www.zhew.nl
>
>
>===========================================================================
=====
>     To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
>

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- Re: [FW-1] How to allow Exchange access
  - From: Elmar van Mourik <[email protected]>

Prev by Date: Re: [FW-1] Has anyone set up an IPSEC tunnel between a Cisco router and Chec kpoint FW-1?
Next by Date: Re: [FW-1] ftp data blocking problem
Previous by thread: Re: [FW-1] How to allow Exchange access
Next by thread: Re: [FW-1] How to allow Exchange access
Index(es):
- Date
- Thread