I would normally look at the IPSec route, too, but it's not
(as far as I know) supported by MS between domain members and DC's. It's
supposed member<->member and DC<->DC, but not
members<->DC's. At least, not if Kerberos is used. Not sure
how they feel about certs. Shared keys just wouldn't be an
option.
Specifically, though, they have their backs up with
135. Do you know what's using it during a logon/GPO
process/?? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, August 24, 2005 10:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ports during authentication/logons... David, If you really, really
want to use the absolute minimum ports through a firewall, use IPSec tunnel
mode. However, your Network Engineers (or whoever manages your Firewalls)
may not like it. Reason? Likely the same reason that I got when I
suggested this at a previous employer: “Well, if you put it in
IPSec tunnels, then we won’t be able to see or sniff
it.” My question: “Why
do you need to sniff or see it?” No
answer…. Rick From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of David
Adner It's been a
few weeks, so time for another question on ports. MS's whitepaper that discusses
how to setup AD to communicate through a firewall (the one that focuses
primarily on DC to DC communication) lists the following ports needed to service
"User Login and Authentication" and "Computer Login and
Authentication": 445
TCP/UDP 88
TCP/UDP 389
UDP 53
TCP/UDP (I would
add ICMP for GPO processing.) Most people
who normally respond to "what ports are needed..." include
135. I just ran
a Netmon trace during a logon from an XP machine and do see some traffic hitting
135. I also see traffic hitting 137 and 139. I'm not
good at reading traces so I don't really know what's happening besides the basic
traffic flow. Does anyone know what 135 (and 139 I suppose)
are being used for? And if they're blocked does it totally break everything or
just limit certain functions? I am not worried about DC to DC communication. The
scenario is member systems separated from DC's with a firewall and the network
folks want to allow the absolute minimum ports. Thx |
- RE: [ActiveDir] Ports during authentication/logons... Brian Desmond
- RE: [ActiveDir] Ports during authentication/logons... David Adner
- RE: [ActiveDir] Ports during authentication/logons.... Rick Kingslan
- RE: [ActiveDir] Ports during authentication/logons... Tony Murray
- RE: [ActiveDir] Ports during authentication/logons... Tony Murray