RE: [ActiveDir] Ports during authentication/logons...

[Rick Kingslan]

David,   If you really, really want to use the absolute minimum ports through a firewall, use IPSec tunnel mode.  However, your Network Engineers (or whoever manages your Firewalls) may not like it.  Reason?  Likely the same reason that I got when I suggested this at a previous employer:   “Well, if you put it in IPSec tunnels, then we won’t be able to see or sniff it.”   My question:  “Why do you need to sniff or see it?”   No answer….   Rick   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, August 24, 2005 10:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ports during authentication/logons...   It's been a few weeks, so time for another question on ports. MS's whitepaper that discusses how to setup AD to communicate through a firewall (the one that focuses primarily on DC to DC communication) lists the following ports needed to service "User Login and Authentication" and "Computer Login and Authentication": 445 TCP/UDP 88 TCP/UDP 389 UDP 53 TCP/UDP (I would add ICMP for GPO processing.) Most people who normally respond to "what ports are needed..." include 135. I just ran a Netmon trace during a logon from an XP machine and do see some traffic hitting 135. I also see traffic hitting 137 and 139. I'm not good at reading traces so I don't really know what's happening besides the basic traffic flow. Does anyone know what 135 (and 139 I suppose) are being used for? And if they're blocked does it totally break everything or just limit certain functions? I am not worried about DC to DC communication. The scenario is member systems separated from DC's with a firewall and the network folks want to allow the absolute minimum ports. Thx