Hi,
I had similar problems with a new Exchange Server (v2003) on a DMZ.
http://support.microsoft.com/?kbid=270836 is the good KB from Microsoft to
put static ports on Exchange 2003 (v2000 also), just check the English one,
because translations (still in French) are very shorter than the original
English one.
I do not known which version of Checkpoint, you have, but with NG with AI,
Firewall can track some of the RPC traffic (with objects in the DCE-RPC
branch)
Access from Outlook to Exchange only needs (for me, it was from LAN to
server in DMZ) :
microsoft-ds (445 TCP),
and Group MSExchange that contains :
MSExchangeDirRef (DCE-RPC)
MSExchangeDS (DCE-RPC)
MSExchangeIS (DCE-RPC)
The only problem, I have not solved, was the notification from Exchange
server to the Outlook clients, which appear on dynamic ports generated. I
tried to modify the file EXCHANGE.DEF on the Managment server, but it didn't
work.
Hope, it will help you.
Fabrice
Date: Tue, 15 Nov 2005 19:19:51 -0500
From: Ray <sixsigma44 AT HOTMAIL DOT COM>
Subject: Re: Checkpoint SecuRemote and Microsoft Exchange Clients
Check SmartView Tracker fo drops on rules higher than 900. Prior to R55
HFA09 there were a lot of issues with RPC. I haven't had any problems with
SecureClient & Exchange since we went to HFA09.
Ray
>From: Neil Kemp <secureadvice AT GMAIL DOT COM>
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] Checkpoint SecuRemote and Microsoft Exchange Clients
>Date: Tue, 15 Nov 2005 21:56:27 +0000
>
>Which is fine, but dont know if that is the actual issue as between the
>firewall and the SecuRemote client - the traffic is unrestricted.
>
>Any ideas ?
>
>On 15/11/05, Aaron Brasslett <Aaron.Brasslett AT kleinschmidtusa DOT com>
>wrote:
> >
> > The problem is that Exchange uses numerous dynamic ports. You'll need to
> > lock Exchange down to specific ports.
> >
> > http://support.microsoft.com/?kbid=270836
> >
> > -----Original Message-----
> > From: Neil Kemp [mailto:secureadvice AT GMAIL DOT COM]
> > Sent: Tuesday, November 15, 2005 10:30 AM
> > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > Subject: [FW-1] Checkpoint SecuRemote and Microsoft Exchange Clients
> >
> >
> > Afternoon guys.
> >
> > I have been trying to troubleshoot some remote users who are
>experiencing
> > intermittent connectivity when they work remotely across a SecuRemote
>VPN
> > to
> > an internal Microsoft Exchange Server.
> >
> > From what I have seen there are numerous articles about the ports that
>are
> > in use etc, but nothing defined as to how to get it working - does
>anyone
> > have this sort of information ?
> >
> > Thanks in advance.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
