SecurityFocus

win2k3 active directory - firewall ports Jul 20 2007 06:24AM
dubaisans dubai (dubaisans gmail com) (5 replies)

Re: win2k3 active directory - firewall ports Jul 24 2007 07:31PM
James (njan) Eaton-Lee (james mailing gmail com) (1 replies)

dubaisans dubai wrote:
> i want to put win2k3 active directory server behind the corporate
> firewall. we are using windows xp clients and also group policy

See the following for information on AD in segmented networks, and what
the firewall implications are for Login, Authentication, Fileshare,
Replication traffic, etc:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4
caf-9767-a9166368434e&DisplayLang=en

This is well worth reading from start to finish and as well as simple
port listings, it provides substantial guidance on segregating AD in
various ways and how you should & shouldn't go about doing it, with
discussion of IPSec.

> what ports need to be allowed on firewall ? is there any fine tuning
> that can be done on AD to make it more firewall friendly?

Yes. See the following: http://support.microsoft.com/kb/224196

> i have some DC is remote locations . what ports need to be allowed
between DCs?

In order to allow replication to happen over a firewall, see the following:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie
s/activedirectory/deploy/confeat/adrepfir.mspx

See also the "Active Directory in Networks Segmented by Firewalls" guide
both for this and for more information on IPSec.

It is not to be recommended, however, to do this over the internet. You
almost certainly want to consider IPSec and/or a site-to-site VPN or
private circuit.

Hope that helps,

- James.

--
James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org

"All at sea again / And now my hurricanes
Have brought down this ocean rain / To bathe me again"

https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
--
0? *?H?÷
?0?10 +0? *?H?÷
? ü0?ú0?â `0
*?H?÷
0y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0 *?H?÷
support (at) cacert (dot) org0 [email concealed]
061218190127Z
071218190127Z0B10UCAcert WoT User1&0$ *?H?÷
james.mailing (at) gmail (dot) com0 [email concealed]?"0
*?H?÷
?0?
?ër&âQ?p?ËOÏD±x??D÷u?)¢×?O?K·¨íÌ³u#ú/¹CFu'Ü³iÖHhþZ}?¾p¯?1.)ó?W
È¶º`æ¦à®?»zÓçµ?XQ?ÚZ±5!¥5°Í* êX¿?i?«>ïð¼¬å½mt?E?@
Txúj&U=bh&¼??ø¶·lÙÓj¦È@ÄÞ?j?¬??â3EiÂíKÁ??;À»ÅËD?
¶ô@Ï¥?/;>r¹»ü??ñýÇñ?X?º/e¿S®}?'?6öâÅ???^¡êG?ål`P{?r»{@Û6¼B¹ j!Õ?X«£Á0¾0Uÿ00V `?H?øB
IGTo get your own certificate for FREE head over to http://www.CAcert.org02+&0$0"+0?http://ocsp.cacert.or
g0"U0james.mailing (at) gmail (dot) com0 [email concealed]
*?H?÷
?s@UgOrþ´²?ãMÈ{P±"MôØÀÅ¢zp«?ø1+ HX[M?ÆbÞñ@H½]pÆté?X¼à/öïN
+Aå{??FÅ8lf§/2ïÙ²Ü)µü2ýt?®Ô¸~?ên<?°2?Åã? CÝ8¥?Gå?oþ°´x³¹ß4Lsî¸LÌ?&lZ¡Ú?Â^Ó,?Àþ/NrÌZô°Ê¤Ö?~"i0*yYí¡
[ÈF4¥#ÎP¨t?® Ã{è¤{?
ªg?#-9Ö<®iFãª"À?"Û¸FJFûÏýQÅÔßhv~Ü.?®N?oK7Yãk?w¤H?ñ1w\je!Õ2
å?³óåÒÿ?òµ¡?eþrL*©ÑÍ¾~"Ë×N#âéÊ6Û?]Vkx¬D³Èñ°??¬J?tbµ?ÔÊªíäÖs:
t??xSbö5¯fû¿$IGÅóâÔ7·âm?ÞYô<í <üxõ¯jBÑ4"êt?«»ÕÎä¸?[Ë³a5-Ì¨^ËWÙÓ1ìvc$¹ñ?ÀNÝS[ÜÁý¢)ó?Ï%{¿ üg=ë?å»uS¬BQ~Õ®3?GÛX?gbé~àBÚ?eàÑn%ót?vÊF?gGÌº?þ?^,*èx3k?÷táZrf'¥??Å0
?ú0?â `0
*?H?÷
0y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0 *?H?÷
support (at) cacert (dot) org0 [email concealed]
061218190127Z
071218190127Z0B10UCAcert WoT User1&0$ *?H?÷
james.mailing (at) gmail (dot) com0 [email concealed]?"0
*?H?÷
?0?
?ër&âQ?p?ËOÏD±x??D÷u?)¢×?O?K·¨íÌ³u#ú/¹CFu'Ü³iÖHhþZ}?¾p¯?1.)ó?W
È¶º`æ¦à®?»zÓçµ?XQ?ÚZ±5!¥5°Í* êX¿?i?«>ïð¼¬å½mt?E?@
Txúj&U=bh&¼??ø¶·lÙÓj¦È@ÄÞ?j?¬??â3EiÂíKÁ??;À»ÅËD?
¶ô@Ï¥?/;>r¹»ü??ñýÇñ?X?º/e¿S®}?'?6öâÅ???^¡êG?ål`P{?r»{@Û6¼B¹ j!Õ?X«£Á0¾0Uÿ00V `?H?øB
IGTo get your own certificate for FREE head over to http://www.CAcert.org02+&0$0"+0?http://ocsp.cacert.or
g0"U0james.mailing (at) gmail (dot) com0 [email concealed]
*?H?÷
?s@UgOrþ´²?ãMÈ{P±"MôØÀÅ¢zp«?ø1+ HX[M?ÆbÞñ@H½]pÆté?X¼à/öïN
+Aå{??FÅ8lf§/2ïÙ²Ü)µü2ýt?®Ô¸~?ên<?°2?Åã? CÝ8¥?Gå?oþ°´x³¹ß4Lsî¸LÌ?&lZ¡Ú?Â^Ó,?Àþ/NrÌZô°Ê¤Ö?~"i0*yYí¡
[ÈF4¥#ÎP¨t?® Ã{è¤{?
ªg?#-9Ö<®iFãª"À?"Û¸FJFûÏýQÅÔßhv~Ü.?®N?oK7Yãk?w¤H?ñ1w\je!Õ2
å?³óåÒÿ?òµ¡?eþrL*©ÑÍ¾~"Ë×N#âéÊ6Û?]Vkx¬D³Èñ°??¬J?tbµ?ÔÊªíäÖs:
t??xSbö5¯fû¿$IGÅóâÔ7·âm?ÞYô<í <üxõ¯jBÑ4"êt?«»ÕÎä¸?[Ë³a5-Ì¨^ËWÙÓ1ìvc$¹ñ?ÀNÝS[ÜÁý¢)ó?Ï%{¿ üg=ë?å»uS¬BQ~Õ®3?GÛX?gbé~àBÚ?eàÑn%ót?vÊF?gGÌº?þ?^,*èx3k?÷táZrf'¥??Å1
??0??0?0y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0 *?H?÷
support (at) cacert (dot) org [email concealed]`0 + ?Û0 *?H?÷
1 *?H?÷
0 *?H?÷
1
070724193113Z0# *?H?÷
1?³n¨ös+<(?@¶mÕ¶Ð_¸0R *?H?÷
1E0C0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0? +?71?0?0y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0 *?H?÷
support (at) cacert (dot) org [email concealed]`0?*?H?÷
1? ?0y10U
Root CA10Uhttp://www.cacert.org1"0 UCA Cert Signing Authority1!0 *?H?÷
support (at) cacert (dot) org [email concealed]`0
*?H?÷
??âª?Òv?¤Ò~c¼4?£ÔýÈ»¡6á[Ñý?^Á¥[íÁ!Ý÷Ü???KG^??åòÖ?.´mé
¼?xàQç??õ`ÏðàV??@)È?gh?ã{¯(ôXÂ.
@°3B@[?ÍÀQ-î¡;ÂZuôkM1cýµ^oZô¾ï³Y×?EÔ?ê?*{º´iÝF`è7~?¯ø(¼?]Çy
Êó?A°lµ?Áù\²?>j¡;0¿,Ä

ÇV9dXù^vÙån?Ê .¢2DsK£ür:o?HÇÓÔ`NË²scv«m)i?¬(?&]M

[ reply ]

RE: win2k3 active directory - firewall ports Jul 26 2007 12:05AM
Wayne Anderson (wfrazee wynweb net)

Re: win2k3 active directory - firewall ports Jul 21 2007 06:07PM
Nikhil Wagholikar (visitnikhil gmail com)

Re: win2k3 active directory - firewall ports Jul 21 2007 01:03PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)

Re: win2k3 active directory - firewall ports Jul 21 2007 09:32AM
Banyan He (banyan rootong com)

RE: win2k3 active directory - firewall ports Jul 20 2007 07:02PM
Uber Wannabe (nucleargeekdown gmail com)