Re: Firewall between DC and Member Server
From: S. Pidgorny [MVP] (slavickp@yahoo.com)
Date: 03/25/03
- Previous message: Robin T Cox: "Re: 4 hours later, can't figure it out!!"
- In reply to: Fred Baumhardt [MSFT]: "Re: Firewall between DC and Member Server"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Firewall between DC and Member Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "S. Pidgorny [MVP]" <slavickp@yahoo.com> Date: Tue, 25 Mar 2003 19:58:49 +1100
Steve's article actually lists all the protocols required between AD client
and server and the ways to lock down the dynamic ranges. Remember that
minimising the protocols utilised requires some configuration i.e. disabling
NetBIOS over TCP/IP. Don't forget DNS and NTP. Run a proof-of-concept
environment and use a protocol analyser like Netmon.
Note that you can use filtering within IPsec if you need to put
restrictions.
We have decided not to use IPsec to deploy AD in our multiDMZ environment.
-- Svyatoslav Pidgorny, MS MVP, MCSE -= F1 is the key =- . "Fred Baumhardt [MSFT]" <fredbaum@microsoft.com> wrote in message news:eT4E6tm8CHA.2596@TK2MSFTNGP11.phx.gbl... > Do a search on Technet for a whitepaper by a person called Steve Riley (the > legend) who has written about active directory over a firewall. > http://search.microsoft.com/gomsuri.asp?n=14&c=rp_BestBets&siteid=us/itresou > rces&target=http://www.microsoft.com/technet/ittasks/tasks/adrepfir.asp > > Keep in mind you should also ensure that FRS replication also functions as > per 319553 > http://search.microsoft.com/gomsuri.asp?n=8&c=rp_Results&siteid=us/itresourc > es&target=http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B319553 > > You basically have three choices. Open all RPC and Kerberos - tunnel > traffic - or limit RPC to known ports as well as the AD ports. > > Read on.... > > -- > This posting is provided "AS IS" with no warranties, and confers no rights. > > "Angela" <adeksteen@au1.ibm.com> wrote in message > news:3b4201c2f263$13359d00$a101280a@phx.gbl... > > Hi > > > > We are trying to consolidate our servers and have an issue > > whereby we have a Windows 2000 Domain in one site and > > member servers at another. Inbetween these sites is a > > Firewall. I am trying to find out how best to deploy this > > solution, we cannot use IPSEC as you cannot use packet > > filtering but it must be secure and we need to limit the > > amount of ports open between the servers. Does anyone > > have an idea on how to best implement or where I can get > > some information on the correct ports we would need to > > have open. > >
- Previous message: Robin T Cox: "Re: 4 hours later, can't figure it out!!"
- In reply to: Fred Baumhardt [MSFT]: "Re: Firewall between DC and Member Server"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Firewall between DC and Member Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
