Wouldn't it be simpler (and more secure) to put IPSec in place? Far fewer holes to poke in the firewall, for a start.
I'm ignoring for a moment that it's sinful to have a machine in the DMZ auth (or start *any* conversation beyond perhaps DNS or SMTP) with a machine in the production network. Kurt On Mon, Nov 29, 2010 at 10:08, David Lum <david....@nwea.org> wrote: > I have a 2008 R2 server in a DMZ and I need it to authenticate it with our > AD but it tells me “domain is not available. > > > > Per this article: > > http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx > > > > I have the following firewall ruled from the DMZ server --> inbound. RADIUS > is not used. > > > > TCP/UDP 53 (DNS) --> DC’s > > TCP 88 (Kerberos) --> DC’s > TCP 135 (RPC) --> DC’s > > TCP/UDP 389 (LDAP) -- > DC’s, RDS servers > TCP/UDP 443 (SSL) --> DC’s, RDS servers > > TCP/UDP 24158 (WMI) --> RDS servers * (I set this port to be fixed on the > RDS servers) > > TCP 3389 (RDP) --> LAN > > TCP 5504 --> RDS Broker > > > > Do I also need to have TCP > 1024 opened up? I can’t log into this system > via a domain account. > > David Lum // SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 // (Cell) 503.267.9764 > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
