Hi,
You also need to open ICMP (it is usually mentioned in KB articles). If
you don't open ICMP, client (and DCs on other sides of the firewall)
will run into problems with group policy updating / replication.
Miha
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of John Hammond
Sent: Saturday, July 21, 2007 5:18 PM
To: dubaisans@gmail.com; focus-ms@securityfocus.com
Subject: RE: win2k3 active directory - firewall ports
The following are the required ports for AD the articles supporting are
following.
Windows Server 2003 and Windows 2000 Server
For a mixed-mode domain that uses either Windows NT domain controllers
or
legacy clients, trust relationships between Windows Server 2003-based
domain
controllers and Windows 2000 Server-based domain controllers may
necessitate
that all the ports for Windows NT that are listed in the previous table
be
opened in addition to the following ports.
Note The two domain controllers are both in the same forest, or the two
domain controllers are both in a separate forest. Also, the trusts in
the
forest are Windows 2003 trusts or later version trusts. Client
Port(s)Server
PortService
1024-65535/TCP135/TCPRPC
1024-65535/TCP1024-65535/TCPLSA RPC Services (*)
1024-65535/TCP/UDP389/TCP/UDPLDAP
1024-65535/TCP636/TCPLDAP SSL
1024-65535/TCP3268/TCPLDAP GC
1024-65535/TCP3269/TCPLDAP GC SSL
53,1024-65535/TCP/UDP53/TCP/UDPDNS
1024-65535/TCP/UDP88/TCP/UDPKerberos
1024-65535/TCP445/TCPSMB
(*) To define RPC server ports that are used by the LSA RPC services,
see
the "Domain controllers and Active Directory" section in the following
Microsoft Knowledge Base article:
To answer your question review the following microsoft kb articles.
http://support.microsoft.com/kb/179442/
http://support.microsoft.com/kb/154596/en-us
http://support.microsoft.com/kb/224196/
The key is limiting all dynamically assigned ports such as RPC to a
specific
port. While you can limit the services down and rid yourself of certain
ports the more you limit the more functionality you loose.
recipient(s) and may contain confidential and privileged information.
Any
unauthorized review, use, disclosure or distribution is prohibited. If
you
are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the
original
messages.
From: "dubaisans dubai" <dubaisans@gmail.com>
To: focus-ms@securityfocus.com
Subject: win2k3 active directory - firewall ports
Date: Fri, 20 Jul 2007 11:54:04 +0530
MIME-Version: 1.0
Received: from outgoing.securityfocus.com ([205.206.231.26]) by
bay0-mc11-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Fri, 20
Jul 2007 12:08:30 -0700
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
via
smtpd (for bay0-oim-f.bay0.hotmail.com [65.54.244.200]) with ESMTP; Fri,
20
Jul 2007 12:07:07 -0700
Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid
4E5DD1438D2; Fri, 20 Jul 2007 10:48:26 -0600 (MDT)
Received: (qmail 2167 invoked from network); 20 Jul 2007 06:45:52 -0000
i want to put win2k3 active directory server behind the corporate
firewall. we are using windows xp clients and also group policy
what ports need to be allowed on firewall ? is there any fine tuning
that can be done on AD to make it more firewall friendly?
i have some DC is remote locations . what ports need to be allowed
between
DCs?
