W
Walter Roberson
:On 23 Dec 2003 16:02:22 GMT, Walter Roberson spoketh
:>Now, not having control over the corporate Exchange servers, how
:>can I configure the client to stop the server from remembering the
:>ip + port (both of which could have been dynamically allocated) --
:>or how can I *reasonably* configure a stateful firewall to
:>recognize this situation and make the appropriate back-connection
:>even if the public IP has been long ago reallocated?
:Simple: A client should never connect to Exchange through a firewall. If
:external users needs to connect to Exchange, use VPN.
My firewalls are also VPN devices, and do exactly the same kind of
adaptive security on connections over IPSec tunnels as is done
for non-tunneled connections. Also, using a VPN would not solve
the issue that the public IP address might have changed.
If I understand correctly, you are suggesting that the way to
"secure" this MS product is to construct a LAN to LAN VPN that
presents internal IP addresses to both sides, and which deliberately
has adaptive security disabled for the tunnel, allowing -all-
connections through the tunnel ? Doesn't sound very secure to me.
(No, I don't particularily trust the corporate Exchange servers.)
Or are you suggesting that rather than a LAN to LAN VPN, that I should
be installing VPN client software on each of the user machines and have
that connect through to the server? This possibility would not
offer any relief to the issue that the Exchange (pre-AD) server wants
to be able to connect back to the client at arbitrary times
several days later -- not, that is, unless the clients are to be
expected to maintain permanent host->server VPN connections just
in case the Exchange server wants to chat.
:>Now, not having control over the corporate Exchange servers, how
:>can I configure the client to stop the server from remembering the
:>ip + port (both of which could have been dynamically allocated) --
:>or how can I *reasonably* configure a stateful firewall to
:>recognize this situation and make the appropriate back-connection
:>even if the public IP has been long ago reallocated?
:Simple: A client should never connect to Exchange through a firewall. If
:external users needs to connect to Exchange, use VPN.
My firewalls are also VPN devices, and do exactly the same kind of
adaptive security on connections over IPSec tunnels as is done
for non-tunneled connections. Also, using a VPN would not solve
the issue that the public IP address might have changed.
If I understand correctly, you are suggesting that the way to
"secure" this MS product is to construct a LAN to LAN VPN that
presents internal IP addresses to both sides, and which deliberately
has adaptive security disabled for the tunnel, allowing -all-
connections through the tunnel ? Doesn't sound very secure to me.
(No, I don't particularily trust the corporate Exchange servers.)
Or are you suggesting that rather than a LAN to LAN VPN, that I should
be installing VPN client software on each of the user machines and have
that connect through to the server? This possibility would not
offer any relief to the issue that the Exchange (pre-AD) server wants
to be able to connect back to the client at arbitrary times
several days later -- not, that is, unless the clients are to be
expected to maintain permanent host->server VPN connections just
in case the Exchange server wants to chat.