Opening ports on firewalls

EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
These are from Testout:

Q1. You recently deployed Exchange Server 2003 in a Front-end/Back-end configuration. The front-end server is in a DMZ. A two-node cluster in the corporate intranet is the back-end server.
The only traffic permitted into the DMZ from the internet is DNS, SMTP, HTTP, SSL and Kerberos. RPC traffic is not permitted into the firewall to the private network. There is no VPN solution in place for the company.
You need to choose a remote mailbox access client solution to take advantage of the existing infrastructure. Your client solution should offer the best performance and should be implemented over the existing infrastructure. The solution must be as cost-effective as possible.

What should you do?

1. Use Outlook 2003 through a VPN connection.
2. Use Outlook with MAPI over RPC.
3. Use OWA over SSL.
4. Use Outlook 2003 with RPC over HTTP.

You can count 1 off right away, as there is no VPN solution in the company. 2 and 4 should be discounted as the firewall doesnt allow RPC. That leaves us with 3. But the given answer is 4, they reckon that OWA over SSL does not offer best performance. But I thought the question said that RPC was blocked by the firewall. Something I misunderstood?

Q2. A front-end server is configured inside a DMZ. Clients use Outlook 2003 to connect to the front-end server. The front end server will use RPC over HTTP to support the client connections. Back-end, DNS and AD servers are located in the internal network. Pass-through authentication willl not be used.
You need to open the necessary ports in the inner and outer firewalls.

I will only type in the given answer since this was a drag-drop question.

Outer - HTTPS
Inner - HTTP, RPC, DNS, LDAP, Kerberos, Exchange Link State.

Now, why does the outer firewall need HTTPS? There is no mention of SSL being used. On the inner, I know HTTP is needed for FE-BE communication. Why does it need RPC, I thought if Outlook 2003 was in use as client then only port 80 was needed on the firewall. Also, since the front-end server was doing the authentication, why would they need Kerberos, especially since pass-through authentication is not used. I am feeling muddled, someone please help with this. Security and encryption always seem to trip me.
NSX, NSX, more NSX..

Blog >>


  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    For Q1, it must be cost effective. You can just use RPC over HTTP without a certificate and connect. It's more cost effective since you don't have to purchase a certificate and they don't mention a CA and tells you to work within the existing infrastructure.

    For Q2, even though the FE talks to the BE over HTTP, servers love to use RPC to communicate with each other. Since FE will be joined to the domain, you'll need to have DNS open to talk to the DNS Servers, Kerberos since it's joined to the domain, etc... Basically, putting a FE in the DMZ is not a recommended practice.

    Also, you probably shouldn't be posting copyrighted material into the forums or anywhere else for that matter.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
    Thank you for the answer, royal. Makes sense now.
    Just with that copyright thing, this is not the first time I have posted a question from some software and I have seen other members do it as well. If the mods can confirm this, I'll refrain from posting any questions. Or maybe word them differently and not say where they were from (well if I didnt say they were from, they could be perceived as being from ****). I'll leave this to the mods. Thanks again.
    NSX, NSX, more NSX..

    Blog >>
Sign In or Register to comment.