This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outlook and SSH access

Hello guys,

I have installed ASL and it works just fine for HTTP or HTTPS
I have defined the internal net as 192.168.100.x where the internal interface of ASL is 192.168.100.1.
The External interface is connected to my company network and is getting an IP address from the main DHCP server over there within 177.1.x.x range.

Now, from the 192 network I'm able to access any computer in my company network only HTTP or HTTPS (in the 177.1.x.x range) as well as the Internet through my company proxy server.
But I'm not able to ping, ssh, get the Outlook to work, no terminal services, no traceroute, no nothing.

I have added a rule in Packet filter -> Rules like:

Any Any Any Allow
There is no other rule active in the packet filter.
Also in ICMP settings --
ICMP Forwarding: ENABLED
ICMP on firewall: ENABLED

Traceroute settings --
Firewall is traceroute visible: DISABLED
Firewall forwards traceroute: ENABLED
Traceroute from firewall:ENABLED

Ping settings --
Firewall is ping visible: DISABLED
Firewall forwards pings: ENABLED
Ping from firewall:ENABLED

What could be wrong?
After I make a change in those settings do I have to reboot the ASL machine? I don't think so, but maybe I'm wrong.....

Thank you in advance,
LordHex

This thread was automatically locked due to age.

0 oliver.desch over 21 years ago

at a first glance I would say you need to set static routes at least on the default router of the 172-network pointing to your network behind Astaro. As an alternative you could enable masquerading - but afaik Outlook/Exchange doesn't like NAT.

read u
o|iver
Cancel
Vote Up 0 Vote Down

Cancel
0 LordHex over 21 years ago in reply to oliver.desch

Static routes?
I have in the company network DNS servers, proxy servers, mail (Exchange) servers, plus a lot of UNIX servers I want to access.
There is no other way to do it?

I thought that from 192 network (protected net) I should be able to access anything on "internet" (company network in this case) and from "internet" if I want to allow someone access to 192 network then I will create DNAT rules to specific services/computers.

I did this in NAT/MASQUERADING:

MySQL - Internal_Network__ -> External_Network__ / MySQL MASQ__External - None
Terminal Services - Internal_Network__ -> Internal_Network__ / TERM SERV - MASQ__External - None

And also this in Packet Filter:
1 { Global_Broadcast } Any External_Interface__ Drop edit del move
2 { Global_Broadcast } Any Internal_Interface__ Drop edit del move
3 Internal_Network__ TERM SERV External_Network__ Allow edit del move
4 Internal_Network__ MySQL External_Network__ Allow edit del move
5 Internal_Network__ SSH External_Network__ Allow edit del move

Now works TermServ to any server in my company network as well as SSH. No Outlook though.
How can I make it work? What ports/services I need to add to make Outlook 'talk' to exchange server ?

Thank you.
Cancel
Vote Up 0 Vote Down

Cancel
0 SecApp over 21 years ago in reply to LordHex

Make it easy on yourself: do one masquerade rule for everything; restrict using your packetfilter rules.

The problem with Outlook is it talks using RPC, which technically requires an RPC proxy, which Astaro does not do (yet? they have a lot on their plate...)

So I will post Microsoft's workaround (I could just give you the URL, but they might take that away like Internet Explorer 5.5 Service Pack 2...); and where else but on a Linux firewall site could you expect to get such great help with Microsoft?

Doing this requires opening an infamous NetBIOS port; and do you really want to do that? By the way: you might just want to consider using OWA. Outlook 2003 let's you use https to connect to your mail (simple and you still have the advantages of a disconnected mail client, should you need that).

And I've even heard that somebody now makes an IMAP server that runs on a hardened Linux that mimics Exchange and interoperates with the Outlook client too; Contacts, Appointments, and Tasks in Shared Public Folders...

Setting TCP/IP Ports for Exchange and Outlook Client Connections Through a Firewall

This article was previously published under Q155831

SUMMARY
This article tells you how to allow the Microsoft Exchange Client to connect to Microsoft Exchange Server over an existing connection to the Internet and through a firewall. In order to do this, make the ports assigned to these connections static. This requires you to add entries to the registry.

For additional information about configuring Exchange Server services for Internet firewalls, please see the article number below to view the article in the Microsoft Knowledge Base:

148732 XADM: Setting TCP/IP Port Numbers for Internet Firewalls

MORE INFORMATION
You must restart the computer for these changes to take effect.

To make the ports static:

1. Start Registry Editor (Regedt32.exe).
2. Under the HKEY_LOCAL_MACHINE subtree, locate the following subkey:

     System\CurrentControlSet\Services\MSExchangeDS\Parameters

3. Add a REG_DWORD TCP/IP Port value to this key, with a decimal data value of 5000.

NOTE: Microsoft recommends that you assign ports from the 5000 - 65535 (decimal) range. For additional information about the guidelines for static port assignment of Exchange Server services, see the Microsoft Knowledge Base article in the "More Information" section.

EXAMPLE: "TCP/IP Port"=dword:00001388(5000)

The decimal number 5000 was used for the MSExchangeDS TCP/IP Port (0X1388 in hexadecimal format).
4. Locate the following subkey:

     System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

5. Add a REG_DWORD TCP/IP Port value to this key, with a decimal data value of 5001.

NOTE: Microsoft recommends that you assign ports from the 5000 - 65535 (decimal) range. For additional information about the guidelines for static port assignment of Exchange Server services, see the Microsoft Knowledge Base article in the More Information section.

EXAMPLE: "TCP/IP Port"=dword:00001389(5001)

The decimal number 5001 was used for the MSExchangeIS TCP/IP Port (0X1389 in hexadecimal format).
6. Quit Registry Editor.
7. Ask your boss for a raise.

After this, you must configure the packet filter (or firewall) to allow Transmission Control Protocol (TCP) connections to be made to these ports in addition to port 135.

Additional Explanation

A packet filter (or firewall) denies connection attempts that are made to any port for which you have not explicitly allowed connections. Microsoft Exchange Server does use a well-known static port (port 135) to listen for client connects to the Remote Procedure Call (RPC) Endpoint Mapper Service. However, after the client connects to this socket, Microsoft Exchange Server then re-assigns the client two random ports to use when communicating with the directory and the information store. This makes it impossible to allow these through the firewall without forcing them to be statically assigned.

You can statically map the Exchange Services that are listed in this article to any free TCP/IP port number in the full range (1-65535). However, mapping the Exchange Services to a port number lower than 1024 (below the ephemeral port range) can cause behavior that is not wanted. Therefore, the valid ports for setting these mappings are 1024-65535. Microsoft recommends that you use the range 5000-65535 because most services that automatically choose an ephemeral port higher than 1023 usually start with the ports on the lower range (1024-4999). If you issue a netstat -an command at a command prompt, you receive a listing of all the ports that are currently registered on the server. You can use this to help determine a new valid (unused) port that you can use to statically map the Exchange Services.
Cancel
Vote Up 0 Vote Down

Cancel