[146376] in North American Network Operators' Group
RE: Encrypted RPC and firewalling
daemon@ATHENA.MIT.EDU (Matthew Huff)
Thu Nov 10 08:39:49 2011
From: Matthew Huff <mhuff@ox.com>
To: "'Valdis.Kletnieks@vt.edu'" <Valdis.Kletnieks@vt.edu>, 'Lasse Birnbaum
Jensen' <lasse@sdu.dk>
Date: Thu, 10 Nov 2011 08:38:35 -0500
In-Reply-To: <42850.1320929439@turing-police.cc.vt.edu>
Cc: "'nanog@nanog.org'" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Also,
Most enterprises that support Exchange remote access use RPC over HTTPS whi=
ch is encrypted and easy to allow on the firewall.
----
Matthew Huff=A0 | 1 Manhattanville Rd
Director of Operations=A0=A0=A0| Purchase, NY 10577
OTA Management LLC | Phone: 914-460-4039
aim: matthewbhuff=A0 | Fax:=A0=A0 914-460-4139
> -----Original Message-----
> From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]
> Sent: Thursday, November 10, 2011 7:51 AM
> To: Lasse Birnbaum Jensen
> Cc: nanog@nanog.org
> Subject: Re: Encrypted RPC and firewalling
>=20
> On Thu, 10 Nov 2011 09:56:51 +0100, Lasse Birnbaum Jensen said:
> > I would like to know how you guys handle encypted rpc across
> firewalls.
>=20
> You can always just set the firewall to ban RPC in general, whether or
> not it's encrypted (while you're there, close off ports 137-139 and
> other chucklehead stuff like that), and just make the user who's
> outside the firewall VPN in. That's a nice, simple, well-understood
> configuration that almost all software and even most users can handle.
>=20
> (We don't actually do a big monolithic firewall box - but pretty much
> everything has an iptables ruleset loaded that says "if your source IP
> isn't inside our 2 /16s, your packets go bye bye". And there's a nice
> PPTP-based VPN solution in place that even a humanities professor
> emeritus can use ;)
