7 Replies Latest reply on Sep 20, 2009 10:55 PM by scraasklin

    Firewall rules for MEE deployment

    zn
      Assuming we use the default ports are these rules correct?

      I appreciate some of the services are on one box normally but want to create separate rules from the start

      IP Groups

      EEOD (Endpoint Encryption Object directory)
      EES (Endpoint Encryption Server)
      EEM (Endpoint Encryption Manager Clients)
      EEPC (Endpoint Encryption PC Clients)
      WHD (WebHelpDesk)
      SD (Our Service Desk IP Range)

      Firewall Rulesets

      EEOD > EES Communication what port is this? TCP
      EES > EEOD what port is this? TCP
      EES > EEPC 5556 TCP
      EEPC > EES 5555 TCP
      EEM > EES/EEOD (does the management console talk to the EEOD or the EES?) what port is this? TCP
      WHD > EES/EEOD (does the WebHelpDesk talk to the EEOD or the EES?) what port is this? TCP
      SD > WHD 443 TCP
        • 1. RE: Firewall rules for MEE deployment
          EEOD > EES Communication what port is this? TCP

          It's a windows file share - you should not really split these two up - doing so drops the performance by around 50%

          EES > EEOD what port is this? TCP

          same as above, don't split them.

          EES > EEPC 5556 TCP

          this does not exist - you're thinking of EEM>EEPC here. The server never initiates a connection.

          EEPC > EES 5555 TCP
          EEM > EES/EEOD (does the management console talk to the EEOD or the EES?) what port is this? TCP

          It can talk to either, to the EES it acts like a client so 5555, or file share (not advised)

          WHD > EES/EEOD (does the WebHelpDesk talk to the EEOD or the EES?) what port is this? TCP

          whd can only talk file shares to the EEOD. Again, don't split them if possible.

          SD > WHD 443 TCP

          Or SSL, as you probably realized.
          • 2. RE: Firewall rules for MEE deployment
            zn
            In the installation scenario thread I posted I mentioned NATd sites where I thought We'd need to install an EES to let those NAT'd clients talk back to our EOD. Are you saying the EES can only talk to the EOD through the file system on a \\ipaddressofourEEODserver\SBADATA$\ share for example?

            If we had 30 remote EES nothing would ever get done with the files being locked :eek:
            • 3. RE: Firewall rules for MEE deployment
              yup. ees talks directly to the data - it's the presentation layer.

              if you had 30 ees, nothing would get done as your file share would die - it would be a foolish architecture indeed.

              the EES/ODB traffic is 20x the EEPC/EES traffic, so it's ALWAYS better to have the ees/odb on the same box and have as few EES as possible, at the most two (one primary, one backup).

              In your previous thread you didnt really say that you were going to put an ees in each school - I thought you were going to host it centrally and have everyone coming over the wan/internet?

              anyway no, you don't want an ees in every school - you want one running on the same box which is hosting the data.
              • 4. RE: Firewall rules for MEE deployment
                zn
                Yes will do that for most schools but there a few who have their own internal range 172/192 etc where I thought we'd have to install an EES on the school ISA server to facilitate communication between the clients and our EEOD
                • 5. RE: Firewall rules for MEE deployment
                  Thanks for your idea, it is very interesting :D
                  simulation taux banque credit immobilier de France - Credit immobilier de France, simulation credit immobilier. Résultat mitigé pour le crédit immobilier de France.simulation taux banque credit immobilier de France
                  • 6. RE: Firewall rules for MEE deployment


                    I hope you can find a way around that, as it will pull the performance down and open you up to a lot of security risks. Sending netBIOS over the internet is never good.

                    Most people would use a public-facing ip address for their EES, and route that through the hosting firewall. It's only one port and encrypted so there's minimal risk.
                    • 7. RE: Firewall rules for MEE deployment
                      I thought you were going to host it centrally and have everyone coming over the wan/internet?