RE: Active Directory Ports PIX [7:19772]
You also need to specify what is where ... ... AD servers in DMZ / outside or the client PC's in the DMZ / outside? Hopefully, AD inside ... but then again, hopefully you would use a VPN for the outside boxes to connect. One possible, semi-allowable exception - multiple firewalls; either layered or separate .. AD is supposed to be all encrypted, no? Separate: Running on theory here ... you would still hopefully use a PIX2PIX VPN! But ... I believe TCP ports 135-139 and 445 are used, dunno if all are needed tho'. Layered: We have one client that has the primary firewall, which has the AD server and some Web/APP server ... they also have another PIX behind the first PIX, which then houses some DB servers. I believe, the DB servers were able to join the domain w/o any config changes as they were outbound connections. One issue we had - the DB server registered themselves in DDNS with their INTERNAL addresses so all of the other boxes using AD provided DNS could not reach them address to reach them. Thanks! TJ -Original Message- From: Patrick Ramsey [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 13, 2001 11:24 AM To: [EMAIL PROTECTED] Subject:Re: Active Directory Ports PIX [7:19772] Allowing a server access to all domain functions completely defies putting it in a DMZ... That means if any one person broke into a box in the dmz, he has access to the entire domain not a good idea.. -Patrick Dave Luancing 09/13/01 10:36AM Does anyone know what ports need to be opened in a PIX to allow servers to join the domain and replicate. Thanks, Dave __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ * The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=20092t=19772 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Active Directory Ports PIX [7:19772]
u can join the domain and then stop replication , it will still work as a stand alone domain controller. -Original Message- From: Evans, TJ [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 16, 2001 7:50 AM To: [EMAIL PROTECTED] Subject: RE: Active Directory Ports PIX [7:19772] You also need to specify what is where ... ... AD servers in DMZ / outside or the client PC's in the DMZ / outside? Hopefully, AD inside ... but then again, hopefully you would use a VPN for the outside boxes to connect. One possible, semi-allowable exception - multiple firewalls; either layered or separate .. AD is supposed to be all encrypted, no? Separate: Running on theory here ... you would still hopefully use a PIX2PIX VPN! But ... I believe TCP ports 135-139 and 445 are used, dunno if all are needed tho'. Layered: We have one client that has the primary firewall, which has the AD server and some Web/APP server ... they also have another PIX behind the first PIX, which then houses some DB servers. I believe, the DB servers were able to join the domain w/o any config changes as they were outbound connections. One issue we had - the DB server registered themselves in DDNS with their INTERNAL addresses so all of the other boxes using AD provided DNS could not reach them address to reach them. Thanks! TJ -Original Message- From: Patrick Ramsey [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 13, 2001 11:24 AM To: [EMAIL PROTECTED] Subject:Re: Active Directory Ports PIX [7:19772] Allowing a server access to all domain functions completely defies putting it in a DMZ... That means if any one person broke into a box in the dmz, he has access to the entire domain not a good idea.. -Patrick Dave Luancing 09/13/01 10:36AM Does anyone know what ports need to be opened in a PIX to allow servers to join the domain and replicate. Thanks, Dave __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ * The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=20094t=19772 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Active Directory Ports PIX [7:19772]
Allowing a server access to all domain functions completely defies putting it in a DMZ... That means if any one person broke into a box in the dmz, he has access to the entire domain not a good idea.. -Patrick Dave Luancing 09/13/01 10:36AM Does anyone know what ports need to be opened in a PIX to allow servers to join the domain and replicate. Thanks, Dave __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=19790t=19772 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Active Directory Ports PIX [7:19772]
It depends on your site connector protocol... If your using smtp for intersite transmission, then you would need port 25 open... But you have a few options, so sheck the protocol for you site connectors. - Original Message - From: Dave Luancing To: Sent: Thursday, September 13, 2001 9:36 AM Subject: Active Directory Ports PIX [7:19772] Does anyone know what ports need to be opened in a PIX to allow servers to join the domain and replicate. Thanks, Dave __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=19809t=19772 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]