allowing pc to log onto internal domain in dmz

Unanswered Question
Nov 29th, 2007

Hi all, I have a pc in the dmz, I need to allow it to log onto the domain,

Can anyone tell me what ports I need to open to my domain controllers for this to happen?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Thu, 11/29/2007 - 07:56


A ton of them. Seriously it's too many to still ensure security. Having a server in a DMZ that is a member of the domain is a major security risk. Google Group for windows domain firewall and you should see the problems people have had getting this to work. We tried it once at a customer site, but eventually moved the server inside.


JORGE RODRIGUEZ Thu, 11/29/2007 - 08:09

Carl, whether this link can help or not Im sure it can, we went through this on another thread while back, please refer to it as there are some links also for Domain authentication and ports information . if problems let us know.



kevin.jones1 Thu, 11/29/2007 - 08:21

In situation like this, the best firewall

is a checkpoint firewall because checkpoint

understand microsoft DCOM ports and it knows

how to handle microsoft Domain authentication

so the security is vastly superior than Cisco

pix or asa firewall

if you already have a pix in place, you would

need at minimum:

ldap(s): tcp/udp 636

kerb: tcp/udp 88

ldap(s): tcp/udp 389

dns: tcp/udp 53

wins: tcp/udp 137/138

nbt: netbios, rpc, etc...

Collin Clark Thu, 11/29/2007 - 08:25


I'm not disputing the capabilities of Checkpoint, however the firewall in this case not make it more/less secure, it just makes it easier to configure.

kevin.jones1 Thu, 11/29/2007 - 08:45

the firewall can help in making this more

secure by not opening more ports than necessary.

Checkpoint understands how Microsoft DCOM works.

As you know with Active directory and Exchange

server, DCOM uses random ports. By

understanding how DCOM works, you do not have

to open all ports >1024.


This Discussion