Firewall question (front-end/back-end)
rjbarlow
Member Posts: 411
Hello ppl,
let me suppose that there are two firewalls between a front-end server ans some back-ends.
Internet
FW1
F.E.
FW2
B.E
I ask, when an user wants to connect by means of OWA or RPC over HTTPS, that user needs to be authenticated against a DC for being able to access his mailbox. You know?
I suppose that this authentication is made on behalf of the client by the F.E contacting a DC with the protocol Kerberos v.5, so the Kerberos port (8 must be open only on FW2. I suppose also that the username and password are sent in the HTTP/S format to the F.E. server. Is this right?
Another reason for opening port 88 on FW2 could be that the F.E must authenticate itself when he joins the domain.
Anyway, I am interesting over all in answering the first question.
Can someone strengthen my statements providing some links or by his knowledge?
Thank You.
let me suppose that there are two firewalls between a front-end server ans some back-ends.
Internet
FW1
F.E.
FW2
B.E
I ask, when an user wants to connect by means of OWA or RPC over HTTPS, that user needs to be authenticated against a DC for being able to access his mailbox. You know?
I suppose that this authentication is made on behalf of the client by the F.E contacting a DC with the protocol Kerberos v.5, so the Kerberos port (8 must be open only on FW2. I suppose also that the username and password are sent in the HTTP/S format to the F.E. server. Is this right?
Another reason for opening port 88 on FW2 could be that the F.E must authenticate itself when he joins the domain.
Anyway, I am interesting over all in answering the first question.
Can someone strengthen my statements providing some links or by his knowledge?
Thank You.
Comments
-
royal Member Posts: 3,352 ■■■■□□□□□□When you're outside, you use Outlook Anywhere (RCP over HTTP) which talks to the CAS. Both Directory lookups and regular mail lookups will hit the CAS. The CAS has certain authentication settings on its virtual directories in IIS which allow the client to authenticate over the HTTPS tunnel.
You'd only need to open up 88 and those types of ports if you wanted to use direct RPC through the internet which would allow more ports to be open such as port 135 and upper ports since 135 is just an RPC endpoint mapper. But if you were to do this, it'd be only a matter of time before your network was hacked. So you'd definitely use Outlook Anywhere which requires only 443 to be open.“For success, attitude is equally as important as ability.” - Harry F. Banks -
blargoe Member Posts: 4,174 ■■■■■■■■■□I think you are only partially right... a front end has to fully participate in the active directory, not just be able to use kerberos to authenticate... so every port that an AD client would use would have to be opened... global catalog, ldap, dns, kerberos, netbios, etc.
I know there was a thread here discussing it a few months ago... you could probably find it in a searchIT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
rjbarlow Member Posts: 411blargoe wrote:I think you are only partially right... a front end has to fully participate in the active directory, not just be able to use kerberos to authenticate... so every port that an AD client would use would have to be opened... global catalog, ldap, dns, kerberos, netbios, etc.
I know there was a thread here discussing it a few months ago... you could probably find it in a search
Thank You much. -
rjbarlow Member Posts: 411royal wrote:When you're outside, you use Outlook Anywhere (RCP over HTTP) which talks to the CAS. Both Directory lookups and regular mail lookups will hit the CAS. The CAS has certain authentication settings on its virtual directories in IIS which allow the client to authenticate over the HTTPS tunnel.
You'd only need to open up 88 and those types of ports if you wanted to use direct RPC through the internet which would allow more ports to be open such as port 135 and upper ports since 135 is just an RPC endpoint mapper. But if you were to do this, it'd be only a matter of time before your network was hacked. So you'd definitely use Outlook Anywhere which requires only 443 to be open. -
HeroPsycho Inactive Imported Users Posts: 1,940You need numerous ports open between front end and backend servers. For this reason, the equivalent in Exchange 2007 called a Client Access Server isn't even supported in a DMZ network anymore. If you want client machines to hit a server in the DMZ first, you're better off setting up an ISA array in the DMZ and publish Exchange, and put both your front end and backend servers in your internal network.
To shed a bit more light, remember that RPC over HTTP requires RPC Proxy service to be installed. The front end then sends RPC traffic just like a regular Outlook client to Exchange.Good luck to all! -
royal Member Posts: 3,352 ■■■■□□□□□□Royal, please tell me that You are telling on somewhat that is not Exchange 2003... I missed to say that I was speaking on it, sorry...
Yep, sorry. I was talking about Exchange 2007 in which none of the Exchange roles are supported in DMZ, except for the Edge.“For success, attitude is equally as important as ability.” - Harry F. Banks -
royal Member Posts: 3,352 ■■■■□□□□□□HeroPsycho wrote: »With the exception of Edge Transport...
I stated Edge!!“For success, attitude is equally as important as ability.” - Harry F. Banks