[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] NBT & Active Directory authentication through firewall
Derek, Microsoft Active Directory (AD) does use dynamic ports also. I'm dealing with the same issue now, but so far I have it pretty much working fine. Look at Microsoft Knowledge Article Q224196 for instructions on how to force the AD replication to a single port. Try creating a service group with the following: LDAP port 389 on both TCP and UDP (yes, it does use UDP also) SMB port 445 (this is the direct host that replaces NetBIOS for drive mapping and printing) Kerberos port 88 UDP NBT (if you want legacy NetBIOS) RPC 135 TCP You might also want to open 464/tcp for Kerberos password, but I personally havn't noticed it yet in the logs. Also if you're running DNS on the box then open that up too. W2K though can replicate their own DNS servers using AD instead of DNS zone transfers, but clients will be querying the servers using traditional DNS queries. Also you either need to change your registry for a single port and add that service, or you're stuck opening up high-ports to the AD server. I do have servers talking to AD by adding these, but I'm still doing some changes to iron things out. Should know more by next week if I have all the quirks out of it and the proper registry changes done to remove dynamic ports. Ron "Derek J. Lambert" wrote: > We recently migrated our NT domain controllers to Win2k. We have a Win2k member > server in a DMZ that can't authenticate now (so no one can log in except for the > local admin). It looks like in addition to the NT4 netbios stuff, Win2k also > wants to use DCOM on tcp/upd 135, kerberos on tcp/udp 88, and LDAP on tcp/udp > 389 (this is from watching the log and MS-TechNet). I created services for all > these (except LDAP tcp, which already existed), but still no luck. Is there an > FAQ on this somewhere, or does anyone have any experience with this? Thanks. > > Derek J. Lambert, MCSE, MCP+I, CCA, A+ > MIS Manager > Columbia ParCar Corp. > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ begin:vcard n:Atkinson;Ron tel;fax:tel;work:ext 6543 x-mozilla-html:TRUE org:Internet Operations Center (IOC);Security version:2.1 email;internet:[email protected] title:Systems Engineer adr;quoted-printable:;;200 Galleria Officentre=0D=0ASuite 109;Southfield;MI;48034;US x-mozilla-cpt:;0 fn:Ron Atkinson end:vcard
|