https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7481#M7255 <HTML><HEAD></HEAD><BODY><P>Configure to open all netbios ports as outlined here: <A class="jive-link-custom" href="http://www.cisco.com/warp/customer/110/pixfaq.shtml#Q21" target="_blank">http://www.cisco.com/warp/customer/110/pixfaq.shtml#Q21</A> For testing you can conduit permit ip any any to verify connectivity and then remove that narrow that down to the specific ports &amp; protocols in the FAQ. The syslog in debugging mode is the window into the PIX&#146;s mind that tells you all. </P></BODY></HTML> Tue, 05 Jun 2001 19:17:14 GMT a-vazquez 2001-06-05T19:17:14Z https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7480#M7254 <P>We are trying to put an OWA Server for Exchange 2000 in the DMZ. We cannot logon to the domain when we have the server in the DMZ. What ports need to be opened or other configuration needs to be done to get authentication to work through the Pix.</P><P></P><P>Thanks!</P><P>Mike</P> Sat, 22 Feb 2020 06:29:39 GMT https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7480#M7254 rainier 2020-02-22T06:29:39Z https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7481#M7255 <HTML><HEAD></HEAD><BODY><P>Configure to open all netbios ports as outlined here: <A class="jive-link-custom" href="http://www.cisco.com/warp/customer/110/pixfaq.shtml#Q21" target="_blank">http://www.cisco.com/warp/customer/110/pixfaq.shtml#Q21</A> For testing you can conduit permit ip any any to verify connectivity and then remove that narrow that down to the specific ports &amp; protocols in the FAQ. The syslog in debugging mode is the window into the PIX&#146;s mind that tells you all. </P></BODY></HTML> Tue, 05 Jun 2001 19:17:14 GMT https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7481#M7255 a-vazquez 2001-06-05T19:17:14Z https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7482#M7258 <HTML><HEAD></HEAD><BODY><P>You can get a range of tips from Microsofts whitpaper "Exchange 2000 Front-end and Back-end topology". They have examples of exchange in a DMZ and what ports needed to be open (quite a few..).</P><P></P><P>Whitepaper:</P><P><A class="jive-link-custom" href="http://www.microsoft.com/exchange/techinfo/deployment/2000/E2KFrontBack.asp" target="_blank">http://www.microsoft.com/exchange/techinfo/deployment/2000/E2KFrontBack.asp</A></P><P></P><P>Regards Henrik</P></BODY></HTML> Wed, 13 Jun 2001 13:38:41 GMT https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7482#M7258 henrik.aslund 2001-06-13T13:38:41Z https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7483#M7261 <HTML><HEAD></HEAD><BODY><P>I wouldn't suggest allowing domain login's from a lower security interface to the inside. There are known vulnerabilities with ports 137 and 139, which are used by the feared SUB-7 trojan which would compromise the internal LAN.</P><P></P><P>Use AAA with Cisco ACS and then you only have to allow port tcp-49 to connect via tacacs to the ACS server on the inside and have ACS use the PDC for authenticating the exchange server's login.</P><P></P><P>Just thought that would be safer...</P><P></P><P>Gary Freeman</P><P>Network Analyst II</P><P>Rogers Communication Inc.</P><P></P></BODY></HTML> Sun, 17 Jun 2001 02:39:24 GMT https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7483#M7261 gtfree 2001-06-17T02:39:24Z https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7484#M7263 <HTML><HEAD></HEAD><BODY><P>I agree use AAA and configure IIS TacAcs service to control logins. Much more secure</P></BODY></HTML> Tue, 31 Jul 2001 13:58:31 GMT https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7484#M7263 zharling 2001-07-31T13:58:31Z https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7485#M7264 <HTML><HEAD></HEAD><BODY><P>it works</P></BODY></HTML> Wed, 14 Nov 2001 19:36:09 GMT https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7485#M7264 ssyed 2001-11-14T19:36:09Z https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7486#M7265 <HTML><HEAD></HEAD><BODY><P>I am working on same issue. But how can you configure a NT server in DMZ to use TACCA and do a PDC login. Can you explain the whole thing in detail.</P></BODY></HTML> Wed, 14 Nov 2001 20:11:01 GMT https://community.cisco.com/t5/network-access-control/windows-2000-authentication-through-pix/m-p/7486#M7265 ssyed 2001-11-14T20:11:01Z