Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] NBT & Active Directory authentication through firewall

To: [email protected]
Subject: Re: [FW1] NBT & Active Directory authentication through firewall
From: Ron Atkinson <[email protected]>
Date: Thu, 23 Aug 2001 12:57:26 -0400
Cc: "fw-1-mailinglist (E-mail)" <[email protected]>
Organization: Internet Operations Center (IOC)
References: <[email protected]>
Sender: [email protected]

Derek,

Microsoft Active Directory (AD) does use dynamic ports also. I'm dealing with the
same issue now, but so far I have it pretty much working fine. Look at Microsoft
Knowledge Article Q224196 for instructions on how to force the AD replication to a
single port.

Try creating a service group with the following:

LDAP    port 389 on both TCP and UDP (yes, it does use UDP also)
SMB    port 445 (this is the direct host that replaces NetBIOS for drive mapping
and printing)
Kerberos    port 88 UDP
NBT    (if you want legacy NetBIOS)
RPC    135 TCP

You might also want to open 464/tcp for Kerberos password, but I personally havn't
noticed it yet in the logs.
Also if you're running DNS on the box then open that up too. W2K though can
replicate their own DNS servers using AD instead of DNS zone transfers, but clients
will be querying the servers using traditional DNS queries.

Also you either need to change your registry for a single port and add that
service, or you're stuck opening up high-ports to the AD server.

I do have servers talking to AD by adding these, but I'm still doing some changes
to iron things out. Should know more by next week if I have all the quirks out of
it and the proper registry changes done to remove dynamic ports.

Ron

"Derek J. Lambert" wrote:

> We recently migrated our NT domain controllers to Win2k. We have a Win2k member
> server in a DMZ that can't authenticate now (so no one can log in except for the
> local admin). It looks like in addition to the NT4 netbios stuff, Win2k also
> wants to use DCOM on tcp/upd 135, kerberos on tcp/udp 88, and LDAP on tcp/udp
> 389 (this is from watching the log and MS-TechNet). I created services for all
> these (except LDAP tcp, which already existed), but still no luck. Is there an
> FAQ on this somewhere, or does anyone have any experience with this? Thanks.
>
> Derek J. Lambert, MCSE, MCP+I, CCA, A+
> MIS Manager
> Columbia ParCar Corp.
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

begin:vcard 
n:Atkinson;Ron
tel;fax:tel;work:ext 6543
x-mozilla-html:TRUE
org:Internet Operations Center (IOC);Security
version:2.1
email;internet:[email protected]
title:Systems Engineer
adr;quoted-printable:;;200 Galleria Officentre=0D=0ASuite 109;Southfield;MI;48034;US
x-mozilla-cpt:;0
fn:Ron Atkinson
end:vcard

References:
- [FW1] NBT & Active Directory authentication through firewall
  - From: "Derek J. Lambert" <[email protected]>

Prev by Date: RE: [FW1] Service Pack
Next by Date: [FW1] hardware upgrade
Previous by thread: [FW1] NBT & Active Directory authentication through firewall
Next by thread: [FW1] NBT & Active Directory authentication through firewall
Index(es):
- Date
- Thread