Note: You must be registered in order to post a reply. To register, click here. Registration is FREE!
T O P I C R E V I E W
1029usr078198
Posted - June 13 2008 : 12:19:13
From the SBS Help topic entitled, "Firewall settings configured by the Configure E-mail and Internet Connection Wizard"
When you run the Configure E-mail and Internet Connection Wizard, you can enable the firewall on your server to protect your local network from unauthorized Internet access. If you have a firewall device on your network that supports configuration by Universal Plug and Play (UPnP), you can also use the wizard to automatically configure the device. For more information about how the wizard configures a firewall using UPnP, see Using routers that support UPnP.
When you enable the firewall using the Configure E-mail and Internet Connection Wizard, standard services necessary to ensure your Internet connectivity are allowed through the firewall. Additionally, you can select to allow predefined Web services or any of the predefined services through the firewall. Or, you can also create custom services that you want to allow through the firewall.
Standard services allowed by the Configure E-mail and Internet Connection Wizard When you select to enable the firewall using the Configure E-mail and Internet Connection Wizard, the following standard services are allowed through the firewall to ensure Internet connectivity:
Note
The protocol type for each of the standard services allowed through the firewall is Transmission Control Protocol (TCP). Service Port number Purpose ICMP No port number Enables you to test connectivity to or from the Internet. For example, you can use the ping command. DHCP client 67 and 68 Enables Windows® Small Business Server 2003 to automatically obtain an IP address from the DHCP server at your Internet service provider (ISP).
Note
To prevent IP spoofing through the firewall, a filter is created to prevent all network packets that are trying to appear as they are coming from the internal IP address range. Predefined options for Web services When you enable the firewall using the Configure E-mail and Internet Connection Wizard, on the Web Services Configuration page, you can select to allow access to specific Web services or to your entire Web site.
The following predefined options for Web services are available:
Note
The protocol type for each of the standard services allowed through the firewall is Transmission Control Protocol (TCP). Service Port Number Purpose Outlook® Web Access 80 (for http://) and 443 (for https://) Allows users to access their e-mail from the Internet using a Web browser. This service requires that users type https:// to connect securely from a Web browser to the Web server. Remote Web Workplace 4125 Allows users to access services on the Windows Small Business Server network from the Internet using a Web browser. This service requires that users type https:// to connect securely from a Web browser to the Web server. Note
If you are using Routing and Remote Access as your firewall, port 443 is used for secure communications. If you are using Microsoft® Internet Security and Acceleration (ISA) Server 2000 as your firewall, secure communications is configured through a Web listening rule.
Server performance and usage reports 443 Allows users to access server performance and usage reports, which contain detailed information about the overall health and use of your server. Users can connect to this service using either an http:// or https:// connection. Outlook® Mobile Access 80 and 443 Allows users to access their e-mail from a mobile device. Users can connect to this service using either an http:// or https:// connection. Windows SharePoint Services intranet site 444 Allows users to access the intranet Web site created by Microsoft® Windows® SharePoint™ Services. Port 444 is required to secure communications from your server and a Web browser. To connect to the intranet Web site from the Internet, users must type https:// to securely connect between the Web browser and the Web server. If users are on the local network, users can type http://.
Important
If you create sub-level nodes in Windows SharePoint Services, they will also be accessible to the Internet when you allow access to the intranet Web site. Note
In addition to opening the ports for Web server access, you must select to allow access to Web sites on the Web Services Configuration page of the Configure E-mail and Internet Connection Wizard.
Business Web site (wwwroot) 80 Allows users to access the company's Internet Web site from the Internet. Outlook via the Internet 80 Allows users to remotely access their e-mail from a client computer on the Internet using Microsoft® Office Outlook® 2003, without needing to create a virtual private network (VPN) connection. Outlook connects to an Exchange server through the Internet using remote procedure call (RPC) over HTTP. This Web service requires that the client computers meet the necessary requirements.
Client computer requirements
The client computer is running Microsoft® Windows® XP Service Pack 1 or later. You have installed a QFE released after Windows XP, or you have installed Windows XP Service Pack 2. The client computer is running Outlook 2003 or later. You have an Outlook profile configured for the server. For more information about configuring the client computers, click Information and Answers at the Remote Web Workplace. For more information about accessing the Remote Web Workplace, see "Connect remotely to the server" in Help and Support Center.
Entire Web site 80, 443, and 444 Allows users on the Internet to access the default Web site and the company's internal Web site or specific Web site services. Port 80 is required for HTTP requests for your default Web site, port 443 is required for Secure Sockets Layer (SSL) for your default Web site, and 444 is required for SSL for the company's internal Web site. SSL secures communications from your server and a Web browser. Note
In addition to opening the ports for Web server access, you must allow access to Web sites on the Web Services Configuration page of the Configure E-mail and Internet Connection Wizard.
Important
If your network adapter used to connect to the Internet has a dynamically assigned IP address (using DHCP), your Internet service provider (ISP) must support dynamic updates of Domain Name System (DNS) records. Otherwise, when the adapter receives a new IP address from DHCP, DNS will not be able to resolve your server's Internet domain name with the IP address in the DNS records. Allowing access to Web services on your server is not supported if your server uses ISA Server 2000 as your firewall and you have a dynamically assigned IP address for your ISP network adapter. You must either use a static IP address for your ISP network adapter or remove ISA Server 2000 and use Basic Firewall in Routing and Remote Access Service. For more information on modifying your installation, see "Modify your Window Small Business Server installation" in Help and Support Center. When the default Web site or selected Web services are accessible to the Internet, the IP permissions are set to allow access to all IP addresses. For more information about restricting specific IP addresses, see Internet Information Services Help. Click Start, click Server Management, double-click Advanced Management, right-click Internet Information Services, and then click Help. Search for "Securing Sites with IP Address Restrictions." Additional services to allow When you enable the firewall using the Configure E-mail and Internet Connection Wizard, on the Additional Services Configuration page, you can select to allow access to any of the predefined services listed or create a new service if the one you want to allow is not listed.
The following predefined services are available from the Additional Services Configuration page:
Note
The protocol type for each of the standard services allowed through the firewall is Transmission Control Protocol (TCP). Service Port Number Purpose E-mail 25 Allows incoming and outgoing SMTP traffic so Exchange can send and receive Internet e-mail. Virtual Private Networking (VPN) 1723 Allows remote clients to connect securely over the Internet to the network and use resources as if the client were connected locally. Terminal Services 3389 Allows users to connect to the server using Windows Terminal Services remotely over the Internet. FTP 21 Allows file transfer protocol (FTP) connections to the server. Note
To use your server as an FTP server, you must first install and configure the FTP service. For more information, click Start, and then click Help and Support.
Requirements for using the Configure E-mail and Internet Connection Wizard to configure firewall settings Whether or not you can use the Configure E-mail and Internet Connection Wizard to configure firewall settings depends on your network configuration.
If you are using the firewall provided by Windows Small Business Server, your server must be the gateway to the Internet, as shown in Figure 1.
Enlarge Figure Figure 1 - Gateway to the Internet
If your server is not the gateway to the Internet, you cannot use the firewall provided by Windows Small Business Server. However, if you have a firewall device on your network that supports configuration using UPnP, the wizard can automatically configure the firewall settings. For more information about how the wizard configures firewalls that support UPnP, see Using routers that support UPnP.
If the device does not support UPnP, you must configure the appropriate firewall settings on your firewall device. For more information about configuring these settings, see Configuration Settings for an Existing Firewall Device in Appendix C, "Network Configuration Settings," of Getting Started.