Firewall question (front-end/back-end)

Hello ppl,
let me suppose that there are two firewalls between a front-end server ans some back-ends.

Internet

FW1

F.E.

FW2

B.E

I ask, when an user wants to connect by means of OWA or RPC over HTTPS, that user needs to be authenticated against a DC for being able to access his mailbox. You know?

I suppose that this authentication is made on behalf of the client by the F.E contacting a DC with the protocol Kerberos v.5, so the Kerberos port (8

must be open only on FW2. I suppose also that the username and password are sent in the HTTP/S format to the F.E. server. Is this right?

Another reason for opening port 88 on FW2 could be that the F.E must authenticate itself when he joins the domain.
Anyway, I am interesting over all in answering the first question.

Can someone strengthen my statements providing some links or by his knowledge?

Thank You.

Find more posts tagged with

Comments

royal

When you're outside, you use Outlook Anywhere (RCP over HTTP) which talks to the CAS. Both Directory lookups and regular mail lookups will hit the CAS. The CAS has certain authentication settings on its virtual directories in IIS which allow the client to authenticate over the HTTPS tunnel.

You'd only need to open up 88 and those types of ports if you wanted to use direct RPC through the internet which would allow more ports to be open such as port 135 and upper ports since 135 is just an RPC endpoint mapper. But if you were to do this, it'd be only a matter of time before your network was hacked. So you'd definitely use Outlook Anywhere which requires only 443 to be open.

blargoe

I think you are only partially right... a front end has to fully participate in the active directory, not just be able to use kerberos to authenticate... so every port that an AD client would use would have to be opened... global catalog, ldap, dns, kerberos, netbios, etc.

I know there was a thread here discussing it a few months ago... you could probably find it in a search

rjbarlow

blargoe wrote:

I think you are only partially right... a front end has to fully participate in the active directory, not just be able to use kerberos to authenticate... so every port that an AD client would use would have to be opened... global catalog, ldap, dns, kerberos, netbios, etc.

I know there was a thread here discussing it a few months ago... you could probably find it in a search

Yea man, I missed intentionally the other protocols and ports to be open, because I was focusing myself on Kerberos and authentications due to some exercises.

Thank You much.

rjbarlow

royal wrote:

When you're outside, you use Outlook Anywhere (RCP over HTTP) which talks to the CAS. Both Directory lookups and regular mail lookups will hit the CAS. The CAS has certain authentication settings on its virtual directories in IIS which allow the client to authenticate over the HTTPS tunnel.

You'd only need to open up 88 and those types of ports if you wanted to use direct RPC through the internet which would allow more ports to be open such as port 135 and upper ports since 135 is just an RPC endpoint mapper. But if you were to do this, it'd be only a matter of time before your network was hacked. So you'd definitely use Outlook Anywhere which requires only 443 to be open.

Royal, please tell me that You are telling on somewhat that is not Exchange 2003... I missed to say that I was speaking on it, sorry...

HeroPsycho

You need numerous ports open between front end and backend servers. For this reason, the equivalent in Exchange 2007 called a Client Access Server isn't even supported in a DMZ network anymore. If you want client machines to hit a server in the DMZ first, you're better off setting up an ISA array in the DMZ and publish Exchange, and put both your front end and backend servers in your internal network.

To shed a bit more light, remember that RPC over HTTP requires RPC Proxy service to be installed. The front end then sends RPC traffic just like a regular Outlook client to Exchange.

royal

rjbarlow wrote: »

Royal, please tell me that You are telling on somewhat that is not Exchange 2003... I missed to say that I was speaking on it, sorry...

Yep, sorry. I was talking about Exchange 2007 in which none of the Exchange roles are supported in DMZ, except for the Edge.

HeroPsycho

With the exception of Edge Transport...

royal

HeroPsycho wrote: »

With the exception of Edge Transport...

I stated Edge!!

HeroPsycho

LOL, you actually had me there for a second.