Hi David
As everyone has mentioned RPC uses dynamic ports so you'd need to open
135/tcp and at least the ephemeral ports (1024-4999) if not all high ports
above 1024, however this is a bit ugly and turns the firewall into swiss
cheese.
A better alternative would be to let the firewall do things a bit smarter...
Try adding 135/tcp and the following three DCE-RPC services; MSExchangeADL,
MSExchangeDirRep and MSExchangeDSRep. You will also need to create three new
DCE-RPC services of your own and add these also...
DCE_ActiveDirectory_EndPointMapper
E1AF8308-5D1F-11C9-91A4-08002B14A0FA
DCE_ActiveDirectory_NetRemote_RPC
6BFFD098-A112-3610-9833-012892020162
DCE_ActiveDirectory_RPC_Interface
367ABB81-9844-35F1-AD32-98F038001003
With this in place the firewall will inspect the initial 135 comms and find
the high port that gets chosen and open that dynamically - much tidier!
Please note that for this to work reliably you need to be using the
DCERPC.DEF file from HFA 009 or later. Just extract the file and replace the
original one in the LIB directory with the newer one (assuming that you
haven't modified it). I did this in an HFA 008 environment for a long time
with no issues (from memory only one line was different and this was what
was making it fail from time to time). You're HFA 007 version (or more
likely the original shipping version as HFAs don't replace that file
automatically) will most likely randomly drop traffic on rule 998 from time
to time - more of a problem for AD replication but can also affect login.
Good luck
Mate
-----Original Message-----
From: David CALLEBAUT [AEMS Be]
[mailto:]
Sent: Thursday, February 16, 2006 3:50 AM
To: [email protected]
Subject: [FW-1] AD logon ports
Hi all,
Does someone know what RPC or DCE-RCP (or yet another) service I need
to allow for a MS machine in a DMZ to logon to the Active Directory
through a FW-1 R55HFA07 on IPSO3.8?
I've already opened LDAP, kerberos, DNS. But I know that there is also
an RPC connection.
However I am unable to find out which one I should use and I don't find
any info about it either on Checkpoints SK or other resources.
Perhaps I'm overlooking something here?
Does anybody have any info?
Any help would be greatly appreciated!
David Callebaut
_________________________________________________________________
Need more speed? Get Xtra Broadband @
http://jetstream.xtra.co.nz/chm/0,,202853-1000,00.html
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
