Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Windows 2000 Authentication through Pix

We are trying to put an OWA Server for Exchange 2000 in the DMZ. We cannot logon to the domain when we have the server in the DMZ. What ports need to be opened or other configuration needs to be done to get authentication to work through the Pix.

Thanks!

Mike

6 REPLIES
Silver

Re: Windows 2000 Authentication through Pix

Configure to open all netbios ports as outlined here: http://www.cisco.com/warp/customer/110/pixfaq.shtml#Q21 For testing you can conduit permit ip any any to verify connectivity and then remove that narrow that down to the specific ports & protocols in the FAQ. The syslog in debugging mode is the window into the PIX’s mind that tells you all.

New Member

Re: Windows 2000 Authentication through Pix

You can get a range of tips from Microsofts whitpaper "Exchange 2000 Front-end and Back-end topology". They have examples of exchange in a DMZ and what ports needed to be open (quite a few..).

Whitepaper:

http://www.microsoft.com/exchange/techinfo/deployment/2000/E2KFrontBack.asp

Regards Henrik

New Member

Re: Windows 2000 Authentication through Pix

I wouldn't suggest allowing domain login's from a lower security interface to the inside. There are known vulnerabilities with ports 137 and 139, which are used by the feared SUB-7 trojan which would compromise the internal LAN.

Use AAA with Cisco ACS and then you only have to allow port tcp-49 to connect via tacacs to the ACS server on the inside and have ACS use the PDC for authenticating the exchange server's login.

Just thought that would be safer...

Gary Freeman

Network Analyst II

Rogers Communication Inc.

New Member

Re: Windows 2000 Authentication through Pix

I agree use AAA and configure IIS TacAcs service to control logins. Much more secure

New Member

Re: Windows 2000 Authentication through Pix

it works

New Member

Re: Windows 2000 Authentication through Pix

I am working on same issue. But how can you configure a NT server in DMZ to use TACCA and do a PDC login. Can you explain the whole thing in detail.

96
Views
0
Helpful
6
Replies