I can verify this as well. We block all windows ports, in and out, and have a few clients that we've had to put exclusions in the filters for. Get this, they're in the US, their Exchange server is in the UK, and instead of doing a VPN between their office (of 20 employees) and the remote office, they all use the UK's WINS Server and attach to the Exchange server through a NAT router. The only reason so far that I've been able to gleam why they don't do a VPN was that the IT consultant for the parent company suggested it and this local supervisor doesn't like him so won't do anything he suggests, even if it's good advice. We have another client who hosts an exchange server for a few remote users and I finally got them to at least use PPTP when Road Runner blocked 135-139 ports (and their remote users are all @ home on RR). william ----- Original Message ----- From: "Christopher L. Morrow" <chris@UU.NET> To: "Stewart, William C (Bill), RTSLS" <billstewart@att.com> Cc: <nanog@merit.edu> Sent: Monday, October 27, 2003 9:08 AM Subject: Re: ISPs' willingness to take action
On Mon, 27 Oct 2003, Stewart, William C (Bill), RTSLS wrote:
Brian Bruns asserts that there are lots of home users connecting to their office Exchange servers without VPNs, and that therefore blocking the Microsoft ports was bad. While I agree with his point that you shouldn't do it without documenting what you are or are not blocking, I'm really surprised to hear the assertion that people are leaving unfirewalled Exchange servers out on the net. Is this actually common? /shudders...
apparently so... reference long discussions on nanog regarding blocking welchia/nachi... People even, SHOCKER, use smb shares over the internet without vpns or firewalls :(