Member Server Login Slow DMZ-Internal Subnet

From: Steve K. (skonde_at_hotmail.)
Date: 05/01/03 

Date: Thu, 1 May 2003 17:10:08 -0400

I had a requirement to place a member server on my DMZ and have it login to
AD across the firewall. I set up a rule containing this machine and the
three DC's on my internal subnet.

During login it it took a LONG time (over 5 minutes) after entering a user
name and password (and hitting enter immediately :) ) seemingly hanging on
"Please Wait...Loading your personal settings...".

Eventually the account was able to login and I was even able to browse AD.

My question is two part.

1: In my firewall log I noticed that this member server was attempting to
establish a connection to all three of my DC's even though two of them are
remote. Why isn't it just getting what it needs from the local DC (local
being attached to the third nic in the firewall as opposed to a T1)?

2: Why the long login time?

Here are the ports opened in the rule between the member server and the
three DC's. Our DMZ is set up behind our firewall not in front. We are not
using a NAT firewall, we are using an application proxy and routing.

- 123 tcp

- 135 tcp

- 137 udp

- 138 udp

- 139 tcp

- 53 udp

- 53 tcp

- 88 udp

- 88 tcp

- 389 tcp

- 389 udp

- 445 tcp

- 3269 tcp

- 8 icmp (ping)

Thanks in Advance

Steve K.

Relevant Pages

  • keine eingehenden UDP Pakete in WinVistaUltimate, obwohl WinFirewall auf OFF
    ... Die Windows Firewall ist OFF da ich Firewall Regeln in einem NETGEAR ADSL Modem-Router konfiguriert habe. ... Ein Programm braucht eingehende TCP und UDP Pakete und beides habe ich am Router so konfiguriert, daß alle eingehenden TCP und UDP auf Port 49152 an den lokalen Rechner über das wLAN weitergeleitet werden, genau so wie das zuvor auf einer XP Maschine lief. ... Nun kommen die TCP Pakete an, ...
    (microsoft.public.de.windows.vista.netzwerk)
  • Re: clients separated from DC by firewall
    ... firewall is preventing any longer. ... Note that Kerberos is UDP by default and LDAP is using both TCP and UDP; ... SSL may change port requirements, ...
    (microsoft.public.windows.server.security)
  • Re: ipfw udp dynamic rule dont work ?
    ... the firewall ... > allow tcp from ${oip} to any keep-state ... > keeps a small time window where it allows udp packets come back that comes ...
    (FreeBSD-Security)
  • Re: clients separated from DC by firewall
    ... firewall is preventing any longer. ... Note that Kerberos is UDP by default and LDAP is using both TCP and UDP ... change port requirements, too. ...
    (microsoft.public.windows.server.security)
  • Re: Possible security problem?
    ... I have a firewall ... block udp if you want to but it doesn't happen automatically. ... the worm would have to pass a firewall with no ports but the ... typically start at login time. ...
    (comp.security.firewalls)