Firewalling a Local Area Network with routers, MS Exchange, MS Proxy and LINUX.........

Firewalling a Local Area Network with routers, MS Exchange, MS Proxy and LINUX.........

Post by Steve Co » Thu, 07 Oct 1999 04:00:00



Dear all,

I wonder if someone could offer some advice?

Let take a second to explain the network topology we have here - briefly:

Single subnet LAN - comprising NT network with the odd bit of Novell kit.

Our comms machine runs MS Exchange 5.5 and Proxy 2.0 (it also has RRAS for
VPNs but this doesn't work because of the router listed below).

This comms machine is multihomed (I believe this is the term for 2 network
cards) The internal network as above and the external network connects to a
CISCO 760 series ISDN router. This machine is the BDC - the seperate PDC is
also the internal DNS server.

Currently, all internet access works fine via the router. This is using port
address translation to hide all internal IP addresses and present as one.
Exchange happily fires off through the link too - and when connected - our
SMTP feed pushes into the Exchange server. We have 'firewalling' set up on
the router and with MS Proxy.

There are two issues I want to raise.....

1. One problem we have is that MS Exchange brings up the ISDN link every
time an externally destined email is sent - and I don't believe it is
possible to get Exchange to hold the outbound mail and fire it off at
predetermined intervals. This is costing us a fortune.....  We send large
amounts of externally bound email - all quite small - but with the ISDN line
being brought up very often, you can guess what the bill is like (5-10 sends
per hour). When we used modems, this could be achieved because Exchange used
RAS connections which could be limited to 'batch' dial-outs. This no longer
is true for the router setup.

2. We have an ISDN modem which I daresay we could use instead of the router
to give us limited dial-out but then we become reliant upon MS Proxy
firewalling as we loose the router. Is MS Proxy secure enough? (Seriously
please Linux boys and girls :-) )  And will Linux provide the internal IP
address 'hiding' - presenting one address to the outside world? Should we
drop a linux box in between the MS-Proxy/Exchange and the ISDN? Is this hard
to administer/setup as a dedicated firewall.

We want to set up a system with http. ftp etc initialed dialout (MS Proxy)
but not by email (MS Exchange) which we can fire off every couple of hours
or so (We have a batch file which can do this in reverse in order to recieve
our mail).

We need it to be secure (!) or should I say as secure as possible... and it
would be cool if we could get VPN too (MS RRAS flavor) via the ISDN modem as
the router will not handle the encapsulation properly.

Oh and finally, the funds available are very limited, so a big
UNIX/commercial solution is probably prohibitively costly.

All ideas welcome.

Ta everyone

S

 
 
 

Firewalling a Local Area Network with routers, MS Exchange, MS Proxy and LINUX.........

Post by Kirill S. Palagi » Fri, 08 Oct 1999 04:00:00



> <snip>

> 1. One problem we have is that MS Exchange brings up the ISDN link every
> time an externally destined email is sent - and I don't believe it is
> possible to get Exchange to hold the outbound mail and fire it off at
> predetermined intervals.

Execute this batch file
1:
net stop MSExchangeIMC
sleep 900
net start MSExchangeIMC
sleep 120
go to 1:

Quote:> This is costing us a fortune.....  We send large
> amounts of externally bound email - all quite small - but with the ISDN line
> being brought up very often, you can guess what the bill is like (5-10 sends
> per hour). When we used modems, this could be achieved because Exchange used
> RAS connections which could be limited to 'batch' dial-outs. This no longer
> is true for the router setup.

> 2. We have an ISDN modem which I daresay we could use instead of the router
> to give us limited dial-out but then we become reliant upon MS Proxy
> firewalling as we loose the router. Is MS Proxy secure enough? (Seriously
> please Linux boys and girls :-) )  And will Linux provide the internal IP
> address 'hiding' - presenting one address to the outside world? Should we
> drop a linux box in between the MS-Proxy/Exchange and the ISDN? Is this hard
> to administer/setup as a dedicated firewall.

Visit
microsoft.public.proxy NG.

Quote:

> We want to set up a system with http. ftp etc initialed dialout (MS Proxy)
> but not by email (MS Exchange) which we can fire off every couple of hours
> or so (We have a batch file which can do this in reverse in order to recieve
> our mail).

> We need it to be secure (!) or should I say as secure as possible... and it
> would be cool if we could get VPN too (MS RRAS flavor) via the ISDN modem as
> the router will not handle the encapsulation properly.

> Oh and finally, the funds available are very limited, so a big
> UNIX/commercial solution is probably prohibitively costly.

> All ideas welcome.

> Ta everyone

> S

--
Questions will not be answered via e-mail.

 
 
 

Firewalling a Local Area Network with routers, MS Exchange, MS Proxy and LINUX.........

Post by H?vard S?rl » Sat, 09 Oct 1999 04:00:00



> > <snip>

> > 1. One problem we have is that MS Exchange brings up the ISDN link every
> > time an externally destined email is sent - and I don't believe it is
> > possible to get Exchange to hold the outbound mail and fire it off at
> > predetermined intervals.

I my remember wrong, but I think there is something named "Internet Mail
Service" with a possibility to set cost on the routes for the mail. High
cost, less frequent exchange of mail.

H?vard S?rli

phone +47 94 34 34 60

 
 
 

Firewalling a Local Area Network with routers, MS Exchange, MS Proxy and LINUX.........

Post by Steve Co » Sat, 09 Oct 1999 04:00:00


I had a look into this but it appears that 'costs' only apply to locations
with multiple routes - but as we only have the one feed to the internet,
this would have no effect. Thanks anyway.



> > > <snip>

> > > 1. One problem we have is that MS Exchange brings up the ISDN link
every
> > > time an externally destined email is sent - and I don't believe it is
> > > possible to get Exchange to hold the outbound mail and fire it off at
> > > predetermined intervals.

> I my remember wrong, but I think there is something named "Internet Mail
> Service" with a possibility to set cost on the routes for the mail. High
> cost, less frequent exchange of mail.

> H?vard S?rli

> phone +47 94 34 34 60

 
 
 

Firewalling a Local Area Network with routers, MS Exchange, MS Proxy and LINUX.........

Post by Ask M » Sat, 06 Nov 1999 04:00:00


hi

instead of sleep  in a endless cmd u could also use winat to send mail at
fixed times.

u have directly connected a DC to the internet       ok

Dont think about security,    u have nearly a worst case scenario...

the best thing in is   at normal costs..

a 1605  with wic isdn card

one ethernet port to the productive lan   one in a dmz

seperate it with filterlists,  use ios fw feature set.

the gateway machine   should be a standalone server  not a member of the
domain  installed on the machine
a proxy and a smtp relay

so i hope it helps u

 
 
 

1. Linux Firewalls, MS Proxy Server and MS Exchange Server

Hi all,

I will be modifying a LAN config in the near future and was looking for any
thoughts, mods, etc. for what I have in mind. Feel free to shoot it down in
flames - but do it nicely :-)

Currently, the set up is a single subnet, with a multi-homed box hosting
both MS Proxy Server and MS Exchange Server. This is linked to a
dial-on-demand ISDN router via the extrernal network card. All very
simple....

In a few months we'll be going over to an ASDL line, fixed IP address (or
range) and I want to secure the network appropriately. We may also want to
host our own web and ftp servers at a later date.

I've been looking through the newgroups and FAQ sites and a suitable set up
seems to be:

ASDL router
|
|
|
Linux Firewall -----------Future DMZ segment for Web and FTP servers
|
|
|
 Secured LAN with MS Exchange Server and MS Proxy Server

The firewall will be providing MASQuarading for the LAN - together with
packet filtering.
Any future web and ftp servers would be implemented with a seperate DMZ
network segment off of a third NIC on the firewall.

The following config is what I'm not too sure about....

In order to log web access and provide caching, we will keep the proxy
server on the internal LAN - but it will not be the firewall, just a regular
node with the linux firewall set as its gateway. Generally, all outbound
web, ftp etc access will be blocked except for the appropriate proxy server
ports and IP address. Then any MS client needing internet access will use
the proxy sever via winsock etc. Any future non-MS boxes could access
through the firewall directly - having set up specific outbound rules for
their IP addresses on the firewall.

The MS Exchange server will be placed on the internal LAN - not the DNZ. The
SMTP feed will be routed through the firewall. ##### Does anyone have any
insights on setting up such a rule for IPCHAINS - can it be done when the
firewall is MASQuarading the rest of the LAN?

There would also be an internal DNS server handling cache forwarding to the
DNS servers of the ISP. This would be placed on the internal LAN.

Any suggestions, ideas, flames etc more than welcome.

2. Re : failure loading the iBCS module

3. ftp client proxy ms proxy firewall http proxy unix

4. Innd configuration error?

5. ISDN DoD LAN router, MS Exchange Server, Linux?

6. Replicate data between two identical Solaris 9 NFS servers

7. MS Exchange WebMail through Linux Firewall

8. CC:Mail on Solaris

9. MS$ NT > Linux Firewall > Internet > MS$ NT PPTP Server

10. socks proxy client on linux and ms proxy server

11. Linux cant talk to MS proxy on network

12. Best Choice of Proxy Server: MS Proxy / Linux TIS

13. Linux proxy client conf. with MS Proxy Server