Re: Windows 2000 Authentication through Pix

rainier · ‎05-31-2001

We are trying to put an OWA Server for Exchange 2000 in the DMZ. We cannot logon to the domain when we have the server in the DMZ. What ports need to be opened or other configuration needs to be done to get authentication to work through the Pix.

Thanks!

Mike

a-vazquez · ‎06-05-2001

Configure to open all netbios ports as outlined here: http://www.cisco.com/warp/customer/110/pixfaq.shtml#Q21 For testing you can conduit permit ip any any to verify connectivity and then remove that narrow that down to the specific ports & protocols in the FAQ. The syslog in debugging mode is the window into the PIX’s mind that tells you all.

henrik.aslund · ‎06-13-2001

You can get a range of tips from Microsofts whitpaper "Exchange 2000 Front-end and Back-end topology". They have examples of exchange in a DMZ and what ports needed to be open (quite a few..).

Whitepaper:

http://www.microsoft.com/exchange/techinfo/deployment/2000/E2KFrontBack.asp

Regards Henrik

gtfree · ‎06-16-2001

I wouldn't suggest allowing domain login's from a lower security interface to the inside. There are known vulnerabilities with ports 137 and 139, which are used by the feared SUB-7 trojan which would compromise the internal LAN.

Use AAA with Cisco ACS and then you only have to allow port tcp-49 to connect via tacacs to the ACS server on the inside and have ACS use the PDC for authenticating the exchange server's login.

Just thought that would be safer...

Gary Freeman

Network Analyst II

Rogers Communication Inc.

zharling · ‎07-31-2001

I agree use AAA and configure IIS TacAcs service to control logins. Much more secure

ssyed · ‎11-14-2001

it works

ssyed · ‎11-14-2001

I am working on same issue. But how can you configure a NT server in DMZ to use TACCA and do a PDC login. Can you explain the whole thing in detail.