Re: Windows 2003 Domain Controller (Open Port 593)

I believe that what you describe is why, as far as I know, MS still
says placing a DC so firewall separates it from its members is not
a supported configuration. In early W2k days, speaking with those
who tried, we most often referred to the wall after such attempts as
swiss cheese, but regrettably MS did not then even support use of
VPN tunnel between separated domain segments.

"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:gpCdnT8_2Nca_Q7YnZ2dnUVZ_uC3nZ2d@xxxxxxxxxxxxxxx
"netmon" <bkj@xxxxxxxxxxxxxxx> wrote in message
news:1166634736.486819.163560@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have configured the DC using the following article
http://support.microsoft.com/kb/555381. In addition, In addition, I
have taken a look at the following

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp.
Looks as though the DC is as tight as it gets for windows.

I follow these articles, but I'm confused by the scope of the first one
concerning domain controller configuration of W2K3 DCs to work with
Windows
2003 Firewall. What doesn't appear to be mentioned in this article is
unblocking the endpoint mapper of RPC (port 135), which you would need for
any RPC functionality.

What I also don't see discussed in that article is how to configure for
specific RPC services used during the initial authentication by users and
clients. FRS and AD replication are only two of the services. When we
traced this with a sniffer last year during configuration of ISA2004, we
detected at least three distinct UUIDs of the RPC service used by clients
during authentication and initial login to a domain controller. All of
those would require access to port 135 and subsequent access to the higher
order ports assigned by RPC to those RPC services.

Note that the instructions in this knowledgebase get more complicated if
you
want the DC to sit behind an ISA server on its own segment. We managed
to
make that work, but it was hellish to figure out how to get the ISA RPC
filter to work with specific services (UUIDs) on fixed ports. It just
barely works, and we did have usability issues with it (still unresolved,
even after referring them to Microsoft support).

--
Will





.

Relevant Pages

  • Re: Windows 2003 Domain Controller (Open Port 593)
    ... any RPC functionality. ... those would require access to port 135 and subsequent access to the higher ... order ports assigned by RPC to those RPC services. ... want the DC to sit behind an ISA server on its own segment. ...
    (microsoft.public.windows.server.security)
  • [fw-wiz] Re: RPC 135
    ... > firewall it starts to defeat the purpose of having one, ... I believe on the Checkpoint FW, the particular RPC is locked down to ... program number and port mapper UUID for DCOM/MS-RPC. ... > Also, portmapper just tells you where RPC services live, you still have to ...
    (Firewall-Wizards)
  • Re: SBS 2003 and Outlook RPC over HTTP issues
    ... Look in IIS at your Exchweb, Exadmin, exchange-oma, and RPC sites' directory ... Why is it called RPC over HTTP if HTTP is not really needed to be ... As pointed out by others, port 80 does NOT need to be open, and yes, it ... I have about 20 of these SBS machines at other locations and have ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 and Outlook RPC over HTTP issues
    ... , but some of my clients do not want users to ... definitely closed now cause when I open it up http: ... the article is incorrect in stating that port 80 is needed. ... that port 443 and port 80 must be open to use RPC over HTTP. ...
    (microsoft.public.windows.server.sbs)
  • Re: Intersite Replication problem
    ... I followed Antony's DNS advise and I seens to be working. ... To perform the replication I've schedule a task on the W3K server to dial ... As for RPC The default value for the RPC Replication Timeout registry ... Remote Procedure Call dynamic port allocation is used by remote ...
    (microsoft.public.windows.server.active_directory)