Comments on: Why does Microsoft not respect my firewall?

By: George Ou

George Ou — Mon, 02 Mar 2009 17:25:43 +0000

Sorry, you’re right Justin. Basically, MS is pushing us towards a reverse proxy architecture, preferably MS ISA server as far as MS is concerned.

By: jmjames

jmjames — Mon, 02 Mar 2009 15:52:37 +0000

As we discussed on IM, I wish this was the case. In their recent crop of products, it does not matter how many boxes you have, certain components *must* be located in the LAN and exposed over port 443. In fact, with Exchange 2007, you *cannot* put the "Edge Server" role on a box with any other Exchange roles installed! With OCS 2007 R2, the Web-based Communicator (Communicator Web Access) *must* be located in the LAN… and it must *not* be on the same box with the rest of the components, either! I am telling you, if there is a way to do it, it is not documented or supported.

J.Ja

By: George Ou

George Ou — Mon, 02 Mar 2009 15:19:51 +0000

You can build a dedicated Exchange gateway in the DMZ and I am pretty sure you can do the same thing for OCS. You don’t need to open directly in to your internal network.

This is not a Microsoft problem and every Internet-enabled software in the world requires some kind of port to be open which is almost always port 443 and 80. Because you built an all-in-one box, you have no DMZ box and you’re forced to bypass the DMZ.

By: dietrich

dietrich — Thu, 26 Feb 2009 15:52:45 +0000

I see. Well, that explains your purpose.
Sorry. I misunderstood the application.

Color me ‘clueless’.

By: jmjames

jmjames — Thu, 26 Feb 2009 15:06:13 +0000

Dietrich -

VPN is *not* the answer at all. These are services that customers and clients use, I really can’t put them through the effort of configuring a VPN for a 30 minute screenshare, and most of them have IT departments that won’t let it happen. In terms of the on the wire security, the Microsoft situation is good about that, because it all uses SSL anyways. The security concern is that I have untrusted users directly accessing machines within my LAN, regardless of encryption. It’s like sticking a Web server or FTP server in your LAN, you’d never do it.

J.Ja

By: Marc Klink

Marc Klink — Thu, 26 Feb 2009 15:03:46 +0000

I know some will dismiss this as offhandedly smart-assed, but really, isn’t it simply because Microsoft doesn’t respect you? (or any of its customers)

I’ve always found that Microsoft always works from a standpoint that, they alone, know what’s best for your computer.

By: dietrich

dietrich — Thu, 26 Feb 2009 12:13:49 +0000

VPN *is* the solution–it just requires some extra work. Every app gets its port(s) unfettered and just *one* ssl udp port is exposed to the world.

By: jmjames

jmjames — Thu, 26 Feb 2009 02:43:55 +0000

VPN is not the solution. The whole *point* of this software is to allow people access to the service with zero install/configuration.

J.Ja

By: dietrich

dietrich — Thu, 26 Feb 2009 00:26:55 +0000

J.Ja,

Have you messed around with setting up OpenVPN?–a pc running Linux in the DMZ and OpenVPN server would work; or you could move it behind the Firewall because OpenVPN has no trouble with NAT Firewall issues and OpenSSL cert keys on UDP port 1194 is bullet-proof. Set up is *easy* compared to IPSec. Asterisk with IAX trunking over OpenVPN works fine.

Your thoughts? YackityYak TalkBack!

By: jmjames

jmjames — Tue, 24 Feb 2009 14:53:48 +0000

That’s what it requires… but the "Communicator Web Access" requires port 443 (or 80, but 443 is suggested) *directly into my LAN*. Same thing for Exchange’s "Outlook Anywhere" functionality. This is really stupid. Sure, I pretty much trust IIS to not blow up, but that doesn’t mean that the code doesn’t have open bugs in it that allows it to be exploited. If someone manages to blow up the CWA system, the last thing I want/need is an exploited app in my LAN.

J.Ja