Firewall warnings after going live with Exchange 2003
Exchange Server Forum Index Exchange Server
Discussion forums for Microsoft Exchange Server users.
Microsoft Outlook
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web ExchangeServerHelp.com
Firewall warnings after going live with Exchange 2003

 
Post new topic   Reply to topic    Exchange Server Forum Index -> Setup
Author Message
Dan B
Guest
Posted: Thu Dec 29, 2005 12:18 am    Post subject: Firewall warnings after going live with Exchange 2003 Reply with quote
Hi,
I need some help thinking through this one....

My basic setup is Windows Server 2003 with Exchange 2003 with latest service
packs. The server has 2 nics, one with a private address plugged into my
LAN and the other with a Public address plugged into my DMZ on the firewall.
Ever since going live about a week ago, I'm getting IP Spoofing warnings
from my firewall such as:
[00001] 2005-12-28 10:56:51 [Root]system-alert-00408: IP spoofing! From
192.168.xxx.xxx:6411 to 69.xxx.xxx.xxx:25, proto TCP (zone DMZ, int
ethernet2). Occurred 1 times.

(obviously, IPs changed to xxx's)

The port numbers vary and the IPs it is spoofing to vary. The source of the
spoofing is the private IP of my server, which tells me that these are not
hack attempts. I have received nearly 600 of these warning messages from my
firewall in the last week.

Can anyone shed some light on this and help me to resolve it.

Thank You,

Dan

Back to top
Jonathan Norris
Guest
Posted: Thu Dec 29, 2005 12:37 am    Post subject: RE: Firewall warnings after going live with Exchange 2003 Reply with quote
It is problalby the RPC listener and other protocols (SMTP).

You may want to check your binding order under the advanced settings in My
Network Places. I am not sure you will be able to prevent this since this is
by design.

Typically with Firewalls I just do NAT and don't worry about Dual Homing it
with two NICs.




--
Jonathan
No Warrenties Implied, Did you do a FULL backup today??????




"Dan B" wrote:

Quote:
Hi,
I need some help thinking through this one....

My basic setup is Windows Server 2003 with Exchange 2003 with latest service
packs. The server has 2 nics, one with a private address plugged into my
LAN and the other with a Public address plugged into my DMZ on the firewall.
Ever since going live about a week ago, I'm getting IP Spoofing warnings
from my firewall such as:
[00001] 2005-12-28 10:56:51 [Root]system-alert-00408: IP spoofing! From
192.168.xxx.xxx:6411 to 69.xxx.xxx.xxx:25, proto TCP (zone DMZ, int
ethernet2). Occurred 1 times.

(obviously, IPs changed to xxx's)

The port numbers vary and the IPs it is spoofing to vary. The source of the
spoofing is the private IP of my server, which tells me that these are not
hack attempts. I have received nearly 600 of these warning messages from my
firewall in the last week.

Can anyone shed some light on this and help me to resolve it.

Thank You,

Dan


Back to top
Dan B
Guest
Posted: Thu Dec 29, 2005 1:14 am    Post subject: Re: Firewall warnings after going live with Exchange 2003 Reply with quote
Thanks for the info. I thought about doing NAT originally. Maybe that will
be better.

Thanks.


"Jonathan Norris" <JonathanNorris@discussions.microsoft.com> wrote in
message news:22BD5E36-F224-417F-BC19-4BAE96968FAC@microsoft.com...
Quote:
It is problalby the RPC listener and other protocols (SMTP).

You may want to check your binding order under the advanced settings in My
Network Places. I am not sure you will be able to prevent this since this
is
by design.

Typically with Firewalls I just do NAT and don't worry about Dual Homing
it
with two NICs.




--
Jonathan
No Warrenties Implied, Did you do a FULL backup today??????




"Dan B" wrote:

Hi,
I need some help thinking through this one....

My basic setup is Windows Server 2003 with Exchange 2003 with latest
service
packs. The server has 2 nics, one with a private address plugged into my
LAN and the other with a Public address plugged into my DMZ on the
firewall.
Ever since going live about a week ago, I'm getting IP Spoofing warnings
from my firewall such as:
[00001] 2005-12-28 10:56:51 [Root]system-alert-00408: IP spoofing! From
192.168.xxx.xxx:6411 to 69.xxx.xxx.xxx:25, proto TCP (zone DMZ, int
ethernet2). Occurred 1 times.

(obviously, IPs changed to xxx's)

The port numbers vary and the IPs it is spoofing to vary. The source of
the
spoofing is the private IP of my server, which tells me that these are
not
hack attempts. I have received nearly 600 of these warning messages from
my
firewall in the last week.

Can anyone shed some light on this and help me to resolve it.

Thank You,

Dan




Back to top
Jonathan Norris
Guest
Posted: Thu Dec 29, 2005 1:26 am    Post subject: Re: Firewall warnings after going live with Exchange 2003 Reply with quote
I would. Much less configuration / wierdness. You can then just open SMTP
25 and HTTP/SSL for OWA. You may also consider doing a Front End with Forms
based Authentication for additional security.
--
Jonathan
No Warrenties Implied, Did you do a FULL backup today??????




"Dan B" wrote:

Quote:
Thanks for the info. I thought about doing NAT originally. Maybe that will
be better.

Thanks.


"Jonathan Norris" <JonathanNorris@discussions.microsoft.com> wrote in
message news:22BD5E36-F224-417F-BC19-4BAE96968FAC@microsoft.com...
It is problalby the RPC listener and other protocols (SMTP).

You may want to check your binding order under the advanced settings in My
Network Places. I am not sure you will be able to prevent this since this
is
by design.

Typically with Firewalls I just do NAT and don't worry about Dual Homing
it
with two NICs.




--
Jonathan
No Warrenties Implied, Did you do a FULL backup today??????




"Dan B" wrote:

Hi,
I need some help thinking through this one....

My basic setup is Windows Server 2003 with Exchange 2003 with latest
service
packs. The server has 2 nics, one with a private address plugged into my
LAN and the other with a Public address plugged into my DMZ on the
firewall.
Ever since going live about a week ago, I'm getting IP Spoofing warnings
from my firewall such as:
[00001] 2005-12-28 10:56:51 [Root]system-alert-00408: IP spoofing! From
192.168.xxx.xxx:6411 to 69.xxx.xxx.xxx:25, proto TCP (zone DMZ, int
ethernet2). Occurred 1 times.

(obviously, IPs changed to xxx's)

The port numbers vary and the IPs it is spoofing to vary. The source of
the
spoofing is the private IP of my server, which tells me that these are
not
hack attempts. I have received nearly 600 of these warning messages from
my
firewall in the last week.

Can anyone shed some light on this and help me to resolve it.

Thank You,

Dan





Back to top
 
Post new topic   Reply to topic    Exchange Server Forum Index -> Setup All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




Windows Server Dedicated Servers
New Topics Powered by phpBB