the following information is (c) checkpoint:
How to allow RPC communication between Exchange Server and Outlook
Clients through FireWall-1
Creation Date: 10/08/2002
Revised Date: 06/25/2003
Preferred Product: FireWall-1
Latest Version: NG
Category: Other
The information in this article applies to:
# FireWall-1 NG
# VPN-1 NG
# Exchange Server
# Outlook Clients
# RPC
# DCE
# MSExchange
Symptoms
# MSExchange Communication is dropped by the FireWall-1 on Clean Up Rule
# FireWall-1 fails to match MSExchange traffic to rules containing
"MSExchange" specific services
Cause
# Support for inspecting the traffic between MS Outlook and MS
Exchange Server has been troublesome for quite a while, for a variety
of reasons. The main reason is that the communication between Outlook
and Exchange is not publicly documented, and Check Point has not been
able to receive proper cooperation from MS to work towards a viable
solution. This leads to the situation in which our solution is always
based on network snoops, rather than structured and complete.
Solution
In FP2 the inspect code has changed significantly for the better
based on our experience with this protocol.
To implement the solution do the following:
1. For NG FP1 download the "dcerpc.def.fp1" here , make sure to
rename the file to "dcerpc.def"
2. For NG FP2 download the "dcerpc.def.fp2" here, make sure to rename
the file to "dcerpc.def"
3. Download the "exchange.def" file here
4. Back up the existing "dcerpc.def" and "exchange.def" files in
$FWDIR/lib on the management station
5. Overwrite the files with the new ones
6. Add the following new DCE RPC service to the list of services and
also add it to the MSExchange group
Name: MS-Exchange-DirRef
UUID: 1544f5e0-613c-11d1-93df-00c04fd7bd09
7. If not existent, add a rule to the policy allowing the MSExchange
group from the client to the server
8. When done, install the policy.
This solution should work well for many or most of the
configurations. If the problem persist configure the Exchange Server
to use static ports for the communication and enable these ports in
the firewall.
See the following KB entry from Microsoft:
Setting TCP/IP Ports for Exchange and Outlook Client Connections
Through a Firewall
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q155831
cheers
reinhard
At 21:19 31.08.2005, you wrote:
I am looking for the specific DCE rules to allow Outlook clients to
access Exchange. Check Point has sk14754, which is premium content
reserved for their VAR Gods, not mere mortals such as their end users
(way to withhold important info, Israel!).
Anyway, does anyone have the proper ruleset for this? Much obliged.
- Dave
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
--
Reinhard Stich ASSIST R.Stich AT internet-security DOT at
Internet Security AG, 1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
| 