Hi, After fix some ports, here is what I have put in CP FW1 R55 (HFA12 when Windows server was put inside DMZ) to allow Windows 2003 Server to discuss with Active Directory Controllers : dns http Kerberos_v5_TCP Kerberos_v5_UDP ntp (because Active Directory Controllers are also my Time servers) ldap ldap-udp (this one, I was able to find only with SmartView Tracker in FW1) microsoft-ds (=TCP 445) NBT (-> standard group object) MSADGlobalCatalog (=TCP 3268) MSADGlobalCatalogOverSSL (=TCP 3269) [only if you use SSL for this]
See also SK30784 if you "MS machine" is a Windows 2003 Server with SP1, once you have only FW1 R55 with HFA07 (If I remember well, this problem has been corrected in HFA16). Hope it helps you, Regards. -- Fabrice BARUTEL [EMAIL PROTECTED] ------------------------------ Date: Thu, 16 Feb 2006 13:51:27 +0100 From: "Garcia, Ivan" <[EMAIL PROTECTED]> Subject: Re: AD logon ports Hi David, By default the port you're looking for is dinamic. To use a firewall you have to restric the ports for AD replication. Check this doc. http://support.microsoft.com/kb/224196/en-us Regards, Iván García -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of David CALLEBAUT [AEMS Be] Sent: jueves, 16 de febrero de 2006 11:50 To: [email protected] Subject: [FW-1] AD logon ports Hi all, Does someone know what RPC or DCE-RCP (or yet another) service I need to allow for a MS machine in a DMZ to logon to the Active Directory through a FW-1 R55HFA07 on IPSO3.8? I've already opened LDAP, kerberos, DNS. But I know that there is also an RPC connection. However I am unable to find out which one I should use and I don't find any info about it either on Checkpoints SK or other resources. Perhaps I'm overlooking something here? Does anybody have any info? Any help would be greatly appreciated! David Callebaut ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
