[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] setting up "one-way" NTdomain trust
According to Microsoft (see their knowledge base article Q179442 "How to Configure a Firewall for Windows NT and Trusts"): "To establish a domain trust relationship across a firewall, the following ports must be enabled: PORT 135 (TCP or UDP) for Remote Procedure Call(RPC)Service PORT 137 (UDP) for NetBIOS Name Service PORT 138 (UDP) for NetBIOS datagram (Browsing) PORT 139 (TCP) for NetBIOS session (NET USE) ALL PORTS above 1024 for RPC Communication" I don't know of any registry hacks or otherwise to lock down the high-order port numbers (for example, as you can do with Exchange Server). You might try a workaround using PPTP (see also Q179442): "Alternatively, a trust can be established through the Point-to-Point Tunneling Protocol (PPTP). For PPTP, the following ports must be enabled: TCP PORT 1723 IP PROTOCOL 47 (GRE)" Loring Rose Senior Network Engineer GreatDomains.com, a VeriSign company :> -----Original Message----- :> From: Bucak, Ulvi [mailto:[email protected]] :> Sent: Monday, February 12, 2001 3:40 PM :> To: '[email protected]' :> Subject: [FW1] setting up "one-way" NTdomain trust :> :> :> :> Hello everyone, :> :> One of my customers has two NT domains. The PDC of one :> domain in the DMZ and :> the PDC of the other domain is in the internal network. I :> was asked if it's :> possible to setup a one-way trust between these two domains. That is :> DMZ-PDC is going to trust the internal-PDC only, not the :> other way around. :> :> My question is do I have to open any ports from DMZ to :> internal which I :> don't wanna be doing. I am interested to know if the :> "trusting PDC" really :> needs to initiate a session to the "trusted PDC" to be able :> to setup one way :> trust relationship? If yes, what port should be allowed from :> trusting PDC to :> the trusting PDC? :> :> NOte: CP talks about roughly about setting up "domain trust :> relationship" :> that ports 135(tcp/udp), 137(udp),138(udp), 139(tcp) and all :> ports above :> 1024 (for RPC communication) should be enabled across the FW. :> :> :> BTW, regarding CP's " ALL PORTS above 1024 for RPC :> communication" is this :> really necessary? Are there any solutions available to fix :> the RPC comm. to :> a single port on the NT side?? :> :> :> Thanks in advance. :> :> Ulvi :> :> :> ============================================================= :> =================== :> To unsubscribe from this mailing list, please see the :> instructions at :> http://www.checkpoint.com/services/mailing.html :> ============================================================= :> =================== :> ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|