Yeah I got that answer too. I asked that question you asked too. I got
the “well uh….” Response. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan David, If you really, really want to use the
absolute minimum ports through a firewall, use IPSec tunnel mode.
However, your Network Engineers (or whoever manages your Firewalls) may not
like it. Reason? Likely the same reason that I got when I suggested
this at a previous employer: “Well, if you put it in IPSec
tunnels, then we won’t be able to see or sniff it.” My question: “Why do you need
to sniff or see it?” No answer…. Rick From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner It's been
a few weeks, so time for another question on ports. MS's whitepaper that
discusses how to setup AD to communicate through a firewall (the one that
focuses primarily on DC to DC communication) lists the following ports needed
to service "User Login and Authentication" and "Computer Login
and Authentication": 445
TCP/UDP 88
TCP/UDP 389 UDP 53
TCP/UDP (I would
add ICMP for GPO processing.) Most
people who normally respond to "what ports are needed..." include
135. I just
ran a Netmon trace during a logon from an XP machine and do see some traffic
hitting 135. I also see traffic hitting 137 and 139. I'm not
good at reading traces so I don't really know what's happening besides the
basic traffic flow. Does anyone know what 135 (and 139 I suppose)
are being used for? And if they're blocked does it totally break everything or
just limit certain functions? I am not worried about DC to DC communication.
The scenario is member systems separated from DC's with a firewall and the
network folks want to allow the absolute minimum ports. Thx |
- RE: [ActiveDir] Ports during authentication/logons... Brian Desmond