Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
6
Replies

allowing pc to log onto internal domain in dmz

carl_townshend
Spotlight
Spotlight

‎11-29-2007 12:56 AM - edited ‎03-11-2019 04:36 AM

Hi all, I have a pc in the dmz, I need to allow it to log onto the domain,

Can anyone tell me what ports I need to open to my domain controllers for this to happen?

cheers

Carl

Labels:
0 Helpful
6 Replies 6

Collin Clark
VIP Alumni
VIP Alumni

‎11-29-2007 07:56 AM

Carl-

A ton of them. Seriously it's too many to still ensure security. Having a server in a DMZ that is a member of the domain is a major security risk. Google Group for windows domain firewall and you should see the problems people have had getting this to work. We tried it once at a customer site, but eventually moved the server inside.

HTH

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10

‎11-29-2007 08:09 AM

Carl, whether this link can help or not Im sure it can, we went through this on another thread while back, please refer to it as there are some links also for Domain authentication and ports information . if problems let us know.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cbe739a/4#selected_message

HTH

Jorge

Jorge Rodriguez
0 Helpful

kevin.jones1
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎11-29-2007 08:21 AM

In situation like this, the best firewall

is a checkpoint firewall because checkpoint

understand microsoft DCOM ports and it knows

how to handle microsoft Domain authentication

so the security is vastly superior than Cisco

pix or asa firewall

if you already have a pix in place, you would

need at minimum:

ldap(s): tcp/udp 636

kerb: tcp/udp 88

ldap(s): tcp/udp 389

dns: tcp/udp 53

wins: tcp/udp 137/138

nbt: netbios, rpc, etc...

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to kevin.jones1

‎11-29-2007 08:25 AM

Kevin-

I'm not disputing the capabilities of Checkpoint, however the firewall in this case not make it more/less secure, it just makes it easier to configure.

0 Helpful

kevin.jones1
Level 1
Level 1
In response to Collin Clark

‎11-29-2007 08:45 AM

the firewall can help in making this more

secure by not opening more ports than necessary.

Checkpoint understands how Microsoft DCOM works.

As you know with Active directory and Exchange

server, DCOM uses random ports. By

understanding how DCOM works, you do not have

to open all ports >1024.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to kevin.jones1

‎11-29-2007 08:48 AM

I made the assumption that people usually use RPC over HTTPS.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card