What if DCs already configured to use specific port for RPC/DCOM (http://support.microsoft.com/kb/224196/) ? I think it will can be used by clients as well, right?
Another word, if I follow KB224196, do I need to open more based on the doc you provide (msdn_dcomfirewall.asp)?
Andy
On 7/27/06, Za Vue
<[EMAIL PROTECTED]> wrote:
The article below works well. I push the registry to my machines via GPO. My ports used are 5001-5051.
-Z.V.
Darren Mar-Elia wrote:Check out this article for restricting the range of dynamic ports used by RPC/DCOM.DarrenDarren Mar-EliaFor comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, the definitive resource for Group Policy information.
Hi,
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andy Wang
Sent: Thursday, July 27, 2006 12:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Firewall block Group Policy
When user on VPN network, they can not apply Group Policy since there is a firewall between VPN network and Internal network. Now, I need to find out how many ports are required to allow clients to successfully apply group policy.
Based on KB832017, "To successfully apply Group Policy, a client must be able to contact a domain controller over the DCOM, ICMP, LDAP, SMB, and RPC protocols."
Here is the list port information:
Application protocol Protocol Ports
DCOM TCP + UDP random port number between 1024 - 65534
ICMP (ping) ICMP 20
LDAP TCP 389
SMB TCP 445
RPC TCP 135, random port number between 1024 - 65534
It is not feasible to open up so many high ports (1024 - 65534). So do you have any recommendation for this issue?
Thanks in advance!
Andy