I appreciate the copies of sk14754. You guys are quick.
Isn't there an HFA I can apply to get this? I'm hesitant to overwrite
the dcerpc.def file, because other DCE fixes ask you to modify the file
directly, and pretty soon, I'd imagine, I'll end up with a bastardized
file that a new HFA might overwrite later.
Am I sweating this too much?
- Dave
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
Reinhard Stich
Sent: Wednesday, August 31, 2005 3:34 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Outlook/Exchange through FW-1 NG
the following information is (c) checkpoint:
How to allow RPC communication between Exchange Server and Outlook
Clients through FireWall-1
Creation Date: 10/08/2002
Revised Date: 06/25/2003
Preferred Product: FireWall-1
Latest Version: NG
Category: Other
The information in this article applies to:
# FireWall-1 NG
# VPN-1 NG
# Exchange Server
# Outlook Clients
# RPC
# DCE
# MSExchange
Symptoms
# MSExchange Communication is dropped by the FireWall-1 on Clean Up Rule
# FireWall-1 fails to match MSExchange traffic to rules containing
"MSExchange" specific services
Cause
# Support for inspecting the traffic between MS Outlook and MS
Exchange Server has been troublesome for quite a while, for a variety
of reasons. The main reason is that the communication between Outlook
and Exchange is not publicly documented, and Check Point has not been
able to receive proper cooperation from MS to work towards a viable
solution. This leads to the situation in which our solution is always
based on network snoops, rather than structured and complete.
Solution
In FP2 the inspect code has changed significantly for the better
based on our experience with this protocol.
To implement the solution do the following:
1. For NG FP1 download the "dcerpc.def.fp1" here , make sure to
rename the file to "dcerpc.def"
2. For NG FP2 download the "dcerpc.def.fp2" here, make sure to rename
the file to "dcerpc.def"
3. Download the "exchange.def" file here
4. Back up the existing "dcerpc.def" and "exchange.def" files in
$FWDIR/lib on the management station
5. Overwrite the files with the new ones
6. Add the following new DCE RPC service to the list of services and
also add it to the MSExchange group
Name: MS-Exchange-DirRef
UUID: 1544f5e0-613c-11d1-93df-00c04fd7bd09
7. If not existent, add a rule to the policy allowing the MSExchange
group from the client to the server
8. When done, install the policy.
This solution should work well for many or most of the
configurations. If the problem persist configure the Exchange Server
to use static ports for the communication and enable these ports in
the firewall.
See the following KB entry from Microsoft:
Setting TCP/IP Ports for Exchange and Outlook Client Connections
Through a Firewall
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q155831
cheers
reinhard
At 21:19 31.08.2005, you wrote:
>I am looking for the specific DCE rules to allow Outlook clients to
>access Exchange. Check Point has sk14754, which is premium content
>reserved for their VAR Gods, not mere mortals such as their end users
>(way to withhold important info, Israel!).
>
>Anyway, does anyone have the proper ruleset for this? Much obliged.
>
>
>- Dave
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================
--
Reinhard Stich ASSIST R.Stich AT internet-security DOT at
Internet Security AG, 1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
