Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] setting up "one-way" NTdomain trust

To: "'Bucak, Ulvi'" <[email protected]>, "'[email protected]'" <[email protected]>
Subject: RE: [FW1] setting up "one-way" NTdomain trust
From: "Rose, Loring" <[email protected]>
Date: Mon, 12 Feb 2001 15:59:47 -0800
Sender: [email protected]

According to Microsoft (see their knowledge base article Q179442 "How to
Configure a Firewall for Windows NT and Trusts"):

"To establish a domain trust relationship across a firewall, the following
ports must be enabled: 

PORT 135 (TCP or UDP) for Remote Procedure Call(RPC)Service
PORT 137 (UDP) for NetBIOS Name Service
PORT 138 (UDP) for NetBIOS datagram (Browsing)
PORT 139 (TCP) for NetBIOS session (NET USE)
ALL PORTS above 1024 for RPC Communication"


I don't know of any registry hacks or otherwise to lock down the high-order
port numbers (for example, as you can do with Exchange Server). You might
try a workaround using PPTP (see also Q179442):

"Alternatively, a trust can be established through the Point-to-Point
Tunneling Protocol (PPTP). For PPTP, the following ports must be enabled: 

TCP PORT 1723
IP PROTOCOL 47 (GRE)"



Loring Rose
Senior Network Engineer
GreatDomains.com, a VeriSign company


:> -----Original Message-----
:> From: Bucak, Ulvi [mailto:[email protected]]
:> Sent: Monday, February 12, 2001 3:40 PM
:> To: '[email protected]'
:> Subject: [FW1] setting up "one-way" NTdomain trust 
:> 
:> 
:> 
:> Hello everyone,
:> 
:> One of my customers has two NT domains. The PDC of one 
:> domain in the DMZ and
:> the  PDC of the other domain is in the internal network. I 
:> was asked if it's
:> possible to setup a one-way trust between these two domains. That is
:> DMZ-PDC is going to trust the internal-PDC only, not the 
:> other way around. 
:> 
:> My question is do I have to open any ports from DMZ to 
:> internal which I
:> don't wanna be doing. I am interested to know if the 
:> "trusting PDC" really
:> needs to initiate a session to the "trusted PDC" to be able 
:> to setup one way
:> trust relationship? If yes, what port should be allowed from 
:> trusting PDC to
:> the trusting PDC? 
:> 
:> NOte: CP talks about roughly about setting up "domain trust 
:> relationship"
:> that ports 135(tcp/udp), 137(udp),138(udp), 139(tcp) and all 
:> ports above
:> 1024 (for RPC communication) should be enabled across the FW.
:> 
:> 
:> BTW, regarding CP's " ALL PORTS above 1024 for RPC 
:> communication" is this
:> really necessary? Are there any solutions available to fix 
:> the RPC comm. to
:> a single port on the NT side??
:> 
:> 
:> Thanks in advance.
:> 
:> Ulvi
:> 
:> 
:> =============================================================
:> ===================
:>      To unsubscribe from this mailing list, please see the 
:> instructions at
:>                http://www.checkpoint.com/services/mailing.html
:> =============================================================
:> ===================
:> 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Secure Remote - FWZ - NAT - Behind router
Next by Date: RE: [FW1] Any--> What DOES it include?
Previous by thread: [FW1] setting up "one-way" NTdomain trust
Next by thread: Re: [FW1] FW-1 smalloffice appliances
Index(es):
- Date
- Thread