Firewall question (front-end/back-end)

Hello ppl,
let me suppose that there are two firewalls between a front-end server ans some back-ends.

Internet
FW1
F.E.
FW2
B.E

I ask, when an user wants to connect by means of OWA or RPC over HTTPS, that user needs to be authenticated against a DC for being able to access his mailbox. You know?

I suppose that this authentication is made on behalf of the client by the F.E contacting a DC with the protocol Kerberos v.5, so the Kerberos port (8icon_cool.gif must be open only on FW2. I suppose also that the username and password are sent in the HTTP/S format to the F.E. server. Is this right?

Another reason for opening port 88 on FW2 could be that the F.E must authenticate itself when he joins the domain.
Anyway, I am interesting over all in answering the first question.

Can someone strengthen my statements providing some links or by his knowledge?

Thank You.
Pork 3
Maindrian's music

WIP: 70-236, 70-293 and MCSE.

Comments

  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    When you're outside, you use Outlook Anywhere (RCP over HTTP) which talks to the CAS. Both Directory lookups and regular mail lookups will hit the CAS. The CAS has certain authentication settings on its virtual directories in IIS which allow the client to authenticate over the HTTPS tunnel.

    You'd only need to open up 88 and those types of ports if you wanted to use direct RPC through the internet which would allow more ports to be open such as port 135 and upper ports since 135 is just an RPC endpoint mapper. But if you were to do this, it'd be only a matter of time before your network was hacked. So you'd definitely use Outlook Anywhere which requires only 443 to be open.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    I think you are only partially right... a front end has to fully participate in the active directory, not just be able to use kerberos to authenticate... so every port that an AD client would use would have to be opened... global catalog, ldap, dns, kerberos, netbios, etc.

    I know there was a thread here discussing it a few months ago... you could probably find it in a search
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • rjbarlowrjbarlow Member Posts: 411
    blargoe wrote:
    I think you are only partially right... a front end has to fully participate in the active directory, not just be able to use kerberos to authenticate... so every port that an AD client would use would have to be opened... global catalog, ldap, dns, kerberos, netbios, etc.

    I know there was a thread here discussing it a few months ago... you could probably find it in a search
    Yea man, I missed intentionally the other protocols and ports to be open, because I was focusing myself on Kerberos and authentications due to some exercises.

    Thank You much.
    Pork 3
    Maindrian's music

    WIP: 70-236, 70-293 and MCSE.
  • rjbarlowrjbarlow Member Posts: 411
    royal wrote:
    When you're outside, you use Outlook Anywhere (RCP over HTTP) which talks to the CAS. Both Directory lookups and regular mail lookups will hit the CAS. The CAS has certain authentication settings on its virtual directories in IIS which allow the client to authenticate over the HTTPS tunnel.

    You'd only need to open up 88 and those types of ports if you wanted to use direct RPC through the internet which would allow more ports to be open such as port 135 and upper ports since 135 is just an RPC endpoint mapper. But if you were to do this, it'd be only a matter of time before your network was hacked. So you'd definitely use Outlook Anywhere which requires only 443 to be open.
    Royal, please tell me that You are telling on somewhat that is not Exchange 2003... I missed to say that I was speaking on it, sorry...
    Pork 3
    Maindrian's music

    WIP: 70-236, 70-293 and MCSE.
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    You need numerous ports open between front end and backend servers. For this reason, the equivalent in Exchange 2007 called a Client Access Server isn't even supported in a DMZ network anymore. If you want client machines to hit a server in the DMZ first, you're better off setting up an ISA array in the DMZ and publish Exchange, and put both your front end and backend servers in your internal network.

    To shed a bit more light, remember that RPC over HTTP requires RPC Proxy service to be installed. The front end then sends RPC traffic just like a regular Outlook client to Exchange.
    Good luck to all!
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    rjbarlow wrote: »
    Royal, please tell me that You are telling on somewhat that is not Exchange 2003... I missed to say that I was speaking on it, sorry...

    Yep, sorry. I was talking about Exchange 2007 in which none of the Exchange roles are supported in DMZ, except for the Edge.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    With the exception of Edge Transport... icon_wink.gif
    Good luck to all!
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    HeroPsycho wrote: »
    With the exception of Edge Transport... icon_wink.gif

    I stated Edge!!
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    LOL, you actually had me there for a second.
    Good luck to all!
Sign In or Register to comment.