Active Directory thru Pix

Unanswered Question
Jul 2nd, 2007
User Badges:


I have 2 active directory forests that reside on either side of my PIX.

Forest A is on Inside interface

Forest B is on a DMZ interface security level 50

The Microsoft guys would like to setup a trust between the 2 forests.

In order to do this, RPC traffic, both port 135 and RPC dynamic ports (1024-65535) need to be allowed, I don't however want to open those high ports unless I have to.

My Microsoft guy said that the firewall should be able to inspect RPC traffic in order to dynamically open higher ports when required by the application.

I don't see a fixup for RPC on the Pix however.

Couldn't anyone shed some light on how I can make the Pix aware of the RPC traffic between the 2 AD forests.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Mon, 07/02/2007 - 10:37
User Badges:
  • Blue, 1500 points or more

have your MS admins configure either a PPTP or IPSEC tunnel between the servers in one forest with the servers in the other forest. This will minimize the number of ports you need to allow.

Have them search the MS KB for instructions on this - they're out there.

lowen Tue, 07/03/2007 - 05:23
User Badges:

I don't have a pointer to the MS KB article, but it's also possible to configure the servers to use a restricted port range for RPC (say, 5000 - 6000), and only open that range.

Jon Marshall Mon, 07/02/2007 - 10:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Lee

Steven's solution is the best way to secure this traffic if you have to do this.

The pix does have a fixup for RPC but it is for Sun RPC (ie Sun Microsystems who make a version of Unix called Solaris) and so this would not help you for AD anyway.



This Discussion