General discussion

Locked

Exchange 2000 on PIX firewall DMZ - what

By ISCMRO1 ·
I'm having a lot of fun configuring Exchange 2000 and a PIX firewall. There seems to be no end to the ports it wants open. I'm trying to put the Exchange server on the DMZ port of the PIX, and have already opened the following ports:
53 both tcp and udp
88 both
135 tcp
139 tcp
137 udp
138 udp
123 tcp
389 both
445 tcp
1025 both
3268 tcp

The Ex2k server was setup on the inside network. Now that I've relocated Ex2k to DMZ, it can't connect to the directory without me opening all ports from DMZ to inside. I've run a syslog from the PIX, and for every additional port I open an additional block occurs - usually a udp in the above 1024 range. I followed KB article Q280132 (the suggested ports are included above, as was the registry entry for NTDS to set it to 1025). Inbound directory queries fail. Looks like there would be a registry key to set on the inbound Ex2k server.

Any suggestions are appreciated.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Exchange 2000 on PIX firewall DMZ - what

by 4U21DER In reply to Exchange 2000 on PIX fire ...

Try adding 1026 as another port for the NTDS, I think it will use either one of those ports and i am not sure how that selection is made.

Hope my little tid bit helps.

Good Luck!

Collapse -

Exchange 2000 on PIX firewall DMZ - what

by Shanghai Sam In reply to Exchange 2000 on PIX fire ...

Do I add the same value with a different port? In other words, I already have a value named "TCP/IP Port" within the key stated in Q280132 - so I would have same key name with two different values. Is that correct?

Collapse -

Exchange 2000 on PIX firewall DMZ - what

by Some Guy in Seattle In reply to Exchange 2000 on PIX fire ...

You have the basic documentation with Microsoft KB Q280132. I have not set this up with PIX, only with Checkpoint, but basically the exchange server needs two static ports set up in the registry, and these two ports need to be enabled through the PIX. It is recommended to *not* have these two ports be ports immediately above 1023 since Microsoft machines tend to pick those as source ports for whatever other activity they are doing. Try some unused ports in the 15000 range or so (or some other high port that won't conflict with the software already on the machine). That should fix any conflicts that may occur by using the lower numbers.

Hope that helps,

Collapse -

Exchange 2000 on PIX firewall DMZ - what

by Shanghai Sam In reply to Exchange 2000 on PIX fire ...

I've tried the high ports on the Domain Controller in the NTDS key. Are the value names the same (with different values)? Are there additional keys in the Ex2k server's registry I need to modify? Please post - I think I am close!

Collapse -

Exchange 2000 on PIX firewall DMZ - what

by dave In reply to Exchange 2000 on PIX fire ...

Try this "(config)#" command:

established tcp 135 permitto tcp 1024-65535
or
established tcp 135 permitto udp 1024-65535

This should allow high ports that port 135 wants to establish to be set up as needed.

Collapse -

Exchange 2000 on PIX firewall DMZ - what

by Shanghai Sam In reply to Exchange 2000 on PIX fire ...

Sorry - I had been told this by Cisco but it didn't resolve the issue.

Collapse -

Exchange 2000 on PIX firewall DMZ - what

by ISCMRO1 In reply to Exchange 2000 on PIX fire ...

This question was closed by the author

Back to Networks Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums