H/W firewall after MS Proxy & Exchange

H/W firewall after MS Proxy & Exchange

Post by b.. » Sat, 03 Feb 2001 22:54:37



We use MS Proxy server 2 to connect to the Internet.  We have incoming
SMTP and HTTPS.

Can I add a hardware firewall (such as 3com OfficeConnect Internet
Firewall) in between the Proxy Server and the Internet?

If so, how do I configure it? i.e. LAN is 10.x.x.x; Proxy server is
123.123.123.2 (true internet address).  (router is 123.123.123.1)

Do I give the Firewall a private address of 123.123.123.3 and public
address of 123.123.123.4 ?

How do I configure my email server?  Currently myemail.myco.com points
to my proxy server, and Exchange internally is bound to SMTP on the
proxy.  Does this stay the same?

Any advice & thoughts welcome!

Thanks

BP

PS - had external security audit try and hack MSP2 configured in this
way, and they could not get in - its a start!  (packet filtering on,
and configured tighter than - erm - my wallet).

Sent via Deja.com
http://www.deja.com/

 
 
 

H/W firewall after MS Proxy & Exchange

Post by KM » Sat, 03 Feb 2001 23:32:03


You should be able to pull this off.  Your addressing will look something
like the example below.  The 123.123.123.2 address that answers for your
mail will now be moved forward to the firewall's public interface.  Your
public firewall interface is instructed to pass ports 80, 25, etc. to
192.168.1.2/30 via 192.168.1.1/30.  Your exchange still binds to Proxy via
your .ini file, so nothing on the Proxy has to change except for the public
NIC address (and security configs that you may have in mind, obviously).

ROUTER
Serial: x.x.x.x
Ethernet: 123.123.123.1

FIREWALL
Public: 123.123.123.2
Private: 192.168.1.1/30

PROXY
Public: 192.168.1.2/30
Private: 10.x.x.x

Keith


> We use MS Proxy server 2 to connect to the Internet.  We have incoming
> SMTP and HTTPS.

> Can I add a hardware firewall (such as 3com OfficeConnect Internet
> Firewall) in between the Proxy Server and the Internet?

> If so, how do I configure it? i.e. LAN is 10.x.x.x; Proxy server is
> 123.123.123.2 (true internet address).  (router is 123.123.123.1)

> Do I give the Firewall a private address of 123.123.123.3 and public
> address of 123.123.123.4 ?

> How do I configure my email server?  Currently myemail.myco.com points
> to my proxy server, and Exchange internally is bound to SMTP on the
> proxy.  Does this stay the same?

> Any advice & thoughts welcome!

> Thanks

> BP

> PS - had external security audit try and hack MSP2 configured in this
> way, and they could not get in - its a start!  (packet filtering on,
> and configured tighter than - erm - my wallet).

> Sent via Deja.com
> http://www.deja.com/


 
 
 

H/W firewall after MS Proxy & Exchange

Post by KM » Sat, 03 Feb 2001 23:34:22


Sorry, I incorrectly stated the subnet bits on the /30 between the firewall
and proxy.  The class used is 192.168.1.0/30, and .1 and .2 are the valid
addresses in this block.  Apologies...

Keith


> You should be able to pull this off.  Your addressing will look something
> like the example below.  The 123.123.123.2 address that answers for your
> mail will now be moved forward to the firewall's public interface.  Your
> public firewall interface is instructed to pass ports 80, 25, etc. to
> 192.168.1.2/30 via 192.168.1.1/30.  Your exchange still binds to Proxy via
> your .ini file, so nothing on the Proxy has to change except for the
public
> NIC address (and security configs that you may have in mind, obviously).

> ROUTER
> Serial: x.x.x.x
> Ethernet: 123.123.123.1

> FIREWALL
> Public: 123.123.123.2
> Private: 192.168.1.1/30

> PROXY
> Public: 192.168.1.2/30
> Private: 10.x.x.x

> Keith


> > We use MS Proxy server 2 to connect to the Internet.  We have incoming
> > SMTP and HTTPS.

> > Can I add a hardware firewall (such as 3com OfficeConnect Internet
> > Firewall) in between the Proxy Server and the Internet?

> > If so, how do I configure it? i.e. LAN is 10.x.x.x; Proxy server is
> > 123.123.123.2 (true internet address).  (router is 123.123.123.1)

> > Do I give the Firewall a private address of 123.123.123.3 and public
> > address of 123.123.123.4 ?

> > How do I configure my email server?  Currently myemail.myco.com points
> > to my proxy server, and Exchange internally is bound to SMTP on the
> > proxy.  Does this stay the same?

> > Any advice & thoughts welcome!

> > Thanks

> > BP

> > PS - had external security audit try and hack MSP2 configured in this
> > way, and they could not get in - its a start!  (packet filtering on,
> > and configured tighter than - erm - my wallet).

> > Sent via Deja.com
> > http://www.deja.com/

 
 
 

H/W firewall after MS Proxy & Exchange

Post by Michael Scheidel » Sat, 03 Feb 2001 23:20:58



> We use MS Proxy server 2 to connect to the Internet.  We have incoming
> SMTP and HTTPS.

you could totally eliminate the proxy server, unless there is a compelling
reason for keeping it.
there are so many different firewalls out there, some do what your proxy
server did (depending on what that was)

did you do it to log accesses?  content filtering? or was that your way to
allow outside access to the net, while hidingthe internal network

It all really depends on what you were trying to do, but I would suggest
that if you eliminate the proxy server (use that machine for something else)
you could increase your performance and security

--
Michael Scheidell
Florida Datamation, Inc.

Internet Security and Consulting
See updated IT Security News at http://www.fdma.com

 
 
 

H/W firewall after MS Proxy & Exchange

Post by b.. » Sun, 04 Feb 2001 01:36:10


Want a double firewall approach...  Also, if we keep proxy, the h/w
firewall is cheaper!!

Proxy logs to SQL Server via ODBC and also filters websites & runs
OWA.  Also, its on a PII 233 w 256Mb RAM.  Pretty quick and pretty idle
for 50-60 users on the entire company n/w.




> > We use MS Proxy server 2 to connect to the Internet.  We have
incoming
> > SMTP and HTTPS.

> you could totally eliminate the proxy server, unless there is a
compelling
> reason for keeping it.
> there are so many different firewalls out there, some do what your
proxy
> server did (depending on what that was)

> did you do it to log accesses?  content filtering? or was that your
way to
> allow outside access to the net, while hidingthe internal network

> It all really depends on what you were trying to do, but I would
suggest
> that if you eliminate the proxy server (use that machine for
something else)
> you could increase your performance and security

> --
> Michael Scheidell
> Florida Datamation, Inc.

> Internet Security and Consulting
> See updated IT Security News at http://www.fdma.com

Sent via Deja.com
http://www.deja.com/
 
 
 

H/W firewall after MS Proxy & Exchange

Post by Michael Scheidel » Sun, 04 Feb 2001 02:03:17



> Want a double firewall approach...  Also, if we keep proxy, the h/w
> firewall is cheaper!!

yes, the 'filters websites' and OWA would be one reason to continue to use
the proxy server.

hmmm how about a firewall with automatic forwarding TO your proxy server
(leave the proxy server in the DMZ, isolated from the world, with a small
'hole' to send sql data back, prevents too much damage if hackers get to the
proxy server (take it OUT of the office NT DOMAIN, so sql can't use
'trusted' connection)

or if you have less than 255 web sites to block, you could still eliminate
the proxy and buy a fw that didn't have the DMZ.  the one I am thinking
about does NAT, one has DMZ, one does't, room for 255 line items in filter,
has options *NOT subscription (its ok, but *not is targeted towards
shools and libraries, not businesses) can do thousands of concurrent
connections, etc.

--
Michael Scheidell
Florida Datamation, Inc.

Internet Security and Consulting
See updated IT Security News at http://www.veryComputer.com/

 
 
 

H/W firewall after MS Proxy & Exchange

Post by Nick Le » Tue, 06 Feb 2001 17:19:27


after i install my MS proxy , all incoming HTTPs needs a password, why?
 
 
 

1. MS-Proxy 2.0 and Exchange Server 5.5: Open ports question.

Hi,

When setting up a firewall or an MS-Proxy configured with packet filtering,
what ports should I leave open -beside 25/UDP- to have my Exchange Server
5.5 transfer in and outbound mail to a mail forwarder via the Exchange IMC ?

I tried all kind of different way to configure my firewall and MS-Proxy.
Either I had only incoming, or no traffic at all.

Any idea?

Thank you for any help.

Regards,

Xavier J. Lescalier.

PGP Keys at http://home.earthlink.net/~xlescalier/

2. Audio with scans

3. securing port 25 on an exchange 5.5 server and MS Proxy 2

4. Dueling Datawindow Problem

5. Config ?: Checkpoint Firewall-1 + MS Proxy & PDC

6. Hey Ty

7. MS Exchange Server & IIS

8. Performance cisco 2924 xl switch

9. MS NT (Exchange & IIS server)

10. MS Proxy & Firewalls

11. sonic pro firewall & MS Proxy 1.0

12. Norton Int. Sec. & MS Exchange

13. &&&&&&&test&&&&&&&&