Configuration for MS Domain Controller Inside, Exchange On DMZ, Pix 515E

christopher.barton · ‎06-22-2005

Has anyone ever successfully configured a MS Exchange Server 2003 on the DMZ to replicate to a Domain COntroller on the inside network through a Cisco Pix 515E Firewall? I get the Domain Controller to communicate with the Exchange server and see it across the firewall, but the Exchange server can not see the domain controller because of the current settings. I also have the successfully configured the exchange and domain controller to operate on the inside, but it will not replicate once implemented on the DMZ. Does anyone have any knowledge of the correct configuration required or can point me in the right direction. Gladly accepts, thanks in advance.

dbellaze · ‎06-22-2005

I believe you just need to open up the right ports from the DMZ to the DC on the internal network.

I think MS uses TCP port 445 for replication in 2003.

Heres an example of what is needed to get a dmz host to talk to an internal host assuming the inside IP is using the class A 10.0.0.0 network, and the DMZ is using the class C 192.168.1.0 network.

1) Static for the internal host to the DMZ (high security to low security translation). This translation preserves the internal hosts IP.

static (inside,dmz) 10.1.1.1 10.1.1.1 netmask 255.255.255.255

2) Create an ACL to permit the dmz host to the internal DC.

access-list dmz_acl permit tcp host 192.168.1.2 host 10.1.1.1 eq 445

3) Apply the acl to the dmz interface.

access-g dmz_acl in int dmz

If this doesn't solve the replication problem you could do some more searching for the correct ports, or you can change the dmz ACL to...

access-l dmz_acl permit ip host 192.168.1.2 host 10.1.1.1

While replication is occuring you can issue the following command.

show conn | grep (exhange_IP)

This will show you the ports and protocols the servers are using to replicate. This will help nail down the information so you can just permit these ports/protocols in your ACL.

Daniel