07-02-2007 02:36 AM - edited 03-11-2019 03:38 AM
Hi,
I have 2 active directory forests that reside on either side of my PIX.
Forest A is on Inside interface
Forest B is on a DMZ interface security level 50
The Microsoft guys would like to setup a trust between the 2 forests.
In order to do this, RPC traffic, both port 135 and RPC dynamic ports (1024-65535) need to be allowed, I don't however want to open those high ports unless I have to.
My Microsoft guy said that the firewall should be able to inspect RPC traffic in order to dynamically open higher ports when required by the application.
I don't see a fixup for RPC on the Pix however.
Couldn't anyone shed some light on how I can make the Pix aware of the RPC traffic between the 2 AD forests.
Thanks
Lee
07-02-2007 10:37 AM
have your MS admins configure either a PPTP or IPSEC tunnel between the servers in one forest with the servers in the other forest. This will minimize the number of ports you need to allow.
Have them search the MS KB for instructions on this - they're out there.
07-03-2007 05:23 AM
I don't have a pointer to the MS KB article, but it's also possible to configure the servers to use a restricted port range for RPC (say, 5000 - 6000), and only open that range.
07-02-2007 10:51 AM
Hi Lee
Steven's solution is the best way to secure this traffic if you have to do this.
The pix does have a fixup for RPC but it is for Sun RPC (ie Sun Microsystems who make a version of Unix called Solaris) and so this would not help you for AD anyway.
Jon
07-03-2007 06:28 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: