Re: clients separated from DC by firewall

---

• From: "Jay" <jay@xxxxxxxxxx>
• Date: Fri, 8 Jun 2007 09:14:17 -0400

---

I agree

"Anthony" <anthony.spam@xxxxxxxxxxxxxx> wrote in message news:uQsWS4bqHHA.4836@xxxxxxxxxxxxxxxxxxxxxxx

Just a comment: by the time you open that lot up, I am not sure what the firewall is preventing any longer. You may as well allow all communication between specified hosts or LAN in my opinion.
Anthony
http://www.airdesk.co.uk


"S. Pidgorny <MVP>" <slavickp@xxxxxxxxx> wrote in message news:OaVgnHbqHHA.1208@xxxxxxxxxxxxxxxxxxxxxxx

What is missing:

* RPC endpoint mapper (135/TCP) + a fixable (http://support.microsoft.com/kb/224196/) port for login services
* LDAP to GC (3268/TCP)
* ICMP ping

Note that Kerberos is UDP by default and LDAP is using both TCP and UDP (UDP = LDAP ping); DNS also may use TCP. Protocols are important. SSL may change port requirements, too. See http://support.microsoft.com/kb/832017/

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Jay" <jay@xxxxxxxxxx> wrote in message news:uZO$1nUqHHA.4100@xxxxxxxxxxxxxxxxxxxxxxx

straightforward question - I have a range of PCs that are separated from their domain controller by a PIX. I need to know what ports are required for me to join these clients to the domain.

the doc 'Active Directory in Networks Segmented by Firewalls' leads me to believe I need:

445 (DS)
88 (Kerberos)
389 (LDAP)
53 (DNS)

assume both TCP and UDP for the above. The problem is I am getting and RPC error and I see 135 being dropped by my PIX. What are the ports needed to join a computer to a domain?

Is there a 'right' way to do this?

Thanks
Blake

.

---

• References:
  • clients separated from DC by firewall
    • From: Jay
  • Re: clients separated from DC by firewall
    • From: Anthony

• Prev by Date: Re: User folders permissions.
• Next by Date: Re: clients separated from DC by firewall
• Previous by thread: Re: clients separated from DC by firewall
• Next by thread: Re: clients separated from DC by firewall
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Easy RRAS VPN question ... When NAT-T is used port 1701 UDP ... to go through a firewall directly then port 1701 UDP needs to be open. ... >> accessed from the internet. ... (microsoft.public.windows.server.networking) Re: Open port PIX 501 ... :i can't open the port in my PIX. ... :I need open the port 1000 to point to the IP 10.254.254.222. ... in practice only DNS servers doing zone transfers need tcp. ... of UDP, it would be a highly unusual client which did not stick ... (comp.dcom.sys.cisco) RE: DNS Records ... tcp>1023 53 Client queries with long replies ... On other client types, ... if you lock down all but port ... a client queries an initial server from an unreserved port number to UDP ... (Security-Basics) Windows Update Scrammed My Server ... The Simple TCP/IP Services could not find the TCP Echo port. ... The Simple TCP/IP Services could not find the UDP Echo port. ... (microsoft.public.windowsupdate) Re: Settings for Mercenaries and MS MN500 Wireless Router ... When you type "27960-27960 tcp and udp" exactly where are those entries ... Enable Description Outbound Port Trigger Type Inbound Port Public Type ... > inside the game. ... (microsoft.public.games)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)