FWD all Wan traffic - Draytek router

[darrensen]

Hi all,

Got a question regarding WAN traffic which requires forwarding to a server.

We have a Windows 2003 Small Business Server and i'm wondering what the best practice is for forwarding all WAN traffic to this server?

We have a block of 5 IP's which obviously point to our location, but i'm wondering if i should use the DMZ setting in the router or use Static Route to forward all traffic.

Our server is running several things such as E-Mail serving, Remote Access, Firewall etc.... so we have many ports that need forwarding.

Many thanks for your time.

Darren

[gss03]

Since you sound like you are using ISA some of this info might not be appropriate.

For all my SBS sites - (I manage a few) we use the "Open Ports" part of the draytek and forward them to the SBS box in the office.

The ports we usually open are :

25 - for mail feed into the server
4125 - Remote Web Workplace
443 - https traffic for OWA and OMA
I've also recently had to open up the IMAP port on an SBS server as the client's MD bought an iPhone - This is only needed if you need IMAP(and IMAP is the only way with iPhone :-( )

[Moby-Dick]

Since you sound like you are using ISA some of this info might not be appropriate.

For all my SBS sites - (I manage a few) we use the "Open Ports" part of the draytek and forward them to the SBS box in the office.

The ports we usually open are :

25 - for mail feed into the server
4125 - Remote Web Workplace
443 - https traffic for OWA and OMA
I've also recently had to open up the IMAP port on an SBS server as the client's MD bought an iPhone - This is only needed if you need IMAP(and IMAP is the only way with iPhone :-( )

Exactly what I used to do
Think you have to 80 as well if you are using mobile sync ?

[darrensen]

Like guys for posting up.

Strangely enough, when i open the DMZ and point to our server not all the ports are open. At least this is what the chap is telling me who is managing the server. He since installed his router and it works fine. (different brand)

But i'm pretty sure i can get the draytek going.

Should i just open the below ports and re direct rather than using the DMZ?

25
110
443
444
80
1723
3389
4125

[burble]

Think you have to 80 as well if you are using mobile sync ?

Nope, everything is done over 443.

I'd only open up the ports you need. You could just shove it in the DMZ and then run a firewall on the server but it makes sense to only have open the holes that you need

[gss03]

25
110
443
444
80
1723
3389
4125

Port 25 - yes - Exchange uses this for getting mail via SMTP, that is unless you are using the POP3 connector to get mail - if so, close it.

110 - No - unless you are wanting people staff to have pop3 mail access to the server. Mail retrieval can be better achieved by Exchange over HTTPS.

443 - yes -

444 - no idea so no

80 - Maybe - you could open this one, but it is probably better for all traffic to use https (443)

1723 - Never opened that one - so NO

3389 - No, unless you have someone managing the server remotely - This is the remote desktop port. Again. you can better manage this using Remote Web Workplace

4125 - yes. This is for Remote Web Workplace.

If you want to PM me with questions feel free :-)

[Moby-Dick]

1723 is for the VPN if memory serves me correctly - so depends if you need to use VPN connectivity.

[burble]

Yep, 1723 is PPTP.

[darrensen]

Hi,

Thanks again for your replies.

The situation is we dont actually own the server we just own the building. The client has opted for an external I.T company to maintain their system and the chap has asked for all the posted ports to be opened to the server.

I will manually forward all required ports to the server and post back with the results.

Thanks again guys!