<Disclaimer> what you're doing is a horribly bad idea from a security perspective </Disclaimer> You might have better luck setting up an IPSec tunnel from the DMZ host to the internal domain controllers, DNS servers (if different) and the SQL machine. You'd be even better off if you made it self-contained. That is, installed sharepoint, sql, AD on the same machine as a separate forest. This came from a MOM agent in a DMZ scenario kb article and is essentially the same for most of it. http://support.microsoft.com/default.aspx?scid=kb;en-us;904866 Basically, you'll need the same ports because you want this to be a member of the domain. From there, you'll have to trace the calls from startup to completion to ensure you have all of the allow rules you need for your specific implementation. UDP port 53 to support Domain Name System (DNS) queries and dynamic registrations UDP port 88 to support Kerberos UDP port 123 to support Network Time Protocol (NTP) TCP port 135 to support remote procedure calls (RPC) UDP port 389 and TCP port 389 to support Lightweight Directory Access Protocol (LDAP) TCP port 445 to support server message block (SMB)
________________________________ From: [EMAIL PROTECTED] on behalf of Jason B Sent: Wed 9/7/2005 12:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... Because this will be a sharepoint server for clients. Regardless, that decision has already been made and I don't have any input into it. Any info on the ports I'd need open? ----- Original Message ----- From: "ASB" <[EMAIL PROTECTED]> To: <ActiveDir@mail.activedir.org> Sent: Wednesday, September 07, 2005 8:45 AM Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... Why did you decide to put it in the DMZ? -ASB On 9/7/05, Jason B <[EMAIL PROTECTED]> wrote: > We are putting a MS sharepoint server in the DMZ and need to have it on > the > domain and communicating with a SQL server on the domain. Because of > these > needs, we only want to open the minimum number of ports to get > functionality. We have LDAP (389) opened and SQL (1433) opened. What > other > ports will we need to open to be able to log in on the sharepoint server > with a domain account? Currently, with only these two ports opened, a > domain account can't log on to the sharepoint server in the DMZ. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>