[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] How to allow Exchange access
I know very well the article you are referring to, but that is not my expectation. I found a support article from Nokia that discuss this topic. It sounds like in the old day that is the option you have, but in newer version this can be done at the "inspection level". Here is part of the support article: --------------------------------- Nokia - Resolution 1149 FireWall-1 v4.1 SP4 and later Check Point's release notes document that several DCE-RPC applications are fully supported, including MS Exchange Server v4.0, 5.0 and 5.5. If using an MS Exhange Server v5.5, the v5.5 service objects must be used in addition to the previous MS Exchange service objects. FireWall-1 v4.0 to FireWall-1 v4.1 SP3 Support for Microsoft Exchange was considered "experimental". Most networks were able to use the new objects to support MS Exchange traffic, but some sites still had problems. Such sites can either implement the "Pre-version v4.0" workaround or upgrade to v4.1 SP4. In FireWall-1 v4.0 and later, a set of services were added to support Microsoft Exchange traffic. To support clients connecting to Exchange server over the firewall, add the service "MSExchange" to the appropriate rules. Make sure you add this service explictly instead of relying on the "any" service to catch it because it will not. Pre-version v4.0 Microsoft Exchange uses TCP ports above 1024. The port used is defined in the configuration of Microsoft Exchange. To configure FireWall-1 for use with Microsoft Exchange: 1.Define tcp service rpc-mapper on port 135. 2.Configure Microsoft Exchange server to use a specific port(s) you choose (above 1024). This may be done by modifying the registry on the server machine (the machine running microsoft Exchange) as follows: .... skip.... ----------------- So, I am looking for the one people would use on v4.1 SP4 implementation. -raymond At 07:56 AM 10/11/01 +0200, you wrote: >Hi Raymond, > >You have to configure Exchange to use predefined ports. You have to set this >up in the registry. Check Microsoft support article Q148732 for the details. > > >Good luck, > >Elmar van Mourik >System and Networkmanagement ZHEW >Tel: +31 78 6397 289 >Fax: +31 78 6139 212 > > >> -----Oorspronkelijk bericht----- >> Van: Raymond N [mailto:[email protected]] >> Verzonden: donderdag 11 oktober 2001 2:47 >> Aan: [email protected] >> Onderwerp: [FW-1] How to allow Exchange access >> >> >> Hi there, >> >> I am using Firewall-1 4.1 SP4. I want NT client workstation >> in network-A >> be able to access the MS Exchange server in network-B, where the CP >> firewall is in between. The Exchange server is v5.5. No >> network address >> translation. >> >> I know that there is pre-defined services "MSExchange", >> "MSExchange-v5.5", >> "MSExchange-RemoteAdmin", "MSExchange-RemoteAdmin-v5.5" and >> "MSExchange-SiteConnector". What is needed in my situation? >> And how the >> rule(s) should look like? >> >> I try this: >> source = network-a >> destination = network-b >> service = all MSExchange service defined above >> action = accept >> >> It doesn't work. From the log, I see that my client is >> trying to talk to >> the server on tcp port 2400, and is being dropped. I suppose >> using those >> pre-defined resources can eliminate the need to open all the >1023 TCP >> ports, isn't it? >> >> Please help. >> >> -raymond ([email protected]) >> >> >> ============================================================== >> ================== >> To unsubscribe from this mailing list, please see the >> instructions at >> http://www.checkpoint.com/services/mailing.html >> ============================================================== >> ================== >> > >------------------------------ >Door de electronische verzending van het bericht kunnen er geen rechten >ontleend worden aan de informatie. Als u deze e-mail onterecht heeft >ontvangen, waarschuwt u dan de afzender via [email protected] en verwijder >de gegevens van de computer. > >Zuiveringsschap Hollandse Eilanden en Waarden, Dordrecht >tel: +31 (0)78 6397100 >fax: +31 (0)78 6311871 >web: http://www.zhew.nl > > >=========================================================================== ===== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >=========================================================================== ===== > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|