Filter exceptions for GroupWise
Novell Cool Solutions: Question & Answer
Reader Rating 
Q:
We want to allow remote (not "remote mode") GroupWise 6.5 clients to connect to post offices inside the firewall via SSL. I'm a little confused as to which is the best setup for this, reverse proxy or NAT. My understanding is that, because the GW client selects a random port as the source port in the packet, one would have to open too many generic ports on the reverse proxy server to make this viable. Is this true with reverse proxy for SSL as well? If so, is NAT the way to go?
A:
SSL and reverse proxy are associated with WebAccess, and not the GroupWise client. In any case, SSL normally uses port 443. The random ports you are talking about are the source ports, not the destination ports. That is how TCP connections normally work.
You would probably have a little better luck here using generic proxy than reverse proxy, for SSL. Either would be slightly more secure than NAT. With SSL, the only filter exceptions needed are usually for port 443. Some apps (like iFolder, NW web access, etc.) might be configured to use SSL on other ports, like 51443, 52443, or 2200.
If you're using the native GroupWise 56-bit encryption instead of SSL, then the filter exception for the return packet needs to include ports 1024-65535 (the random source port in the request becomes the destination port on the reply).
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com