Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Active Directory thru Pix


I have 2 active directory forests that reside on either side of my PIX.

Forest A is on Inside interface

Forest B is on a DMZ interface security level 50

The Microsoft guys would like to setup a trust between the 2 forests.

In order to do this, RPC traffic, both port 135 and RPC dynamic ports (1024-65535) need to be allowed, I don't however want to open those high ports unless I have to.

My Microsoft guy said that the firewall should be able to inspect RPC traffic in order to dynamically open higher ports when required by the application.

I don't see a fixup for RPC on the Pix however.

Couldn't anyone shed some light on how I can make the Pix aware of the RPC traffic between the 2 AD forests.




Re: Active Directory thru Pix

have your MS admins configure either a PPTP or IPSEC tunnel between the servers in one forest with the servers in the other forest. This will minimize the number of ports you need to allow.

Have them search the MS KB for instructions on this - they're out there.

New Member

Re: Active Directory thru Pix

I don't have a pointer to the MS KB article, but it's also possible to configure the servers to use a restricted port range for RPC (say, 5000 - 6000), and only open that range.

Hall of Fame Super Blue

Re: Active Directory thru Pix

Hi Lee

Steven's solution is the best way to secure this traffic if you have to do this.

The pix does have a fixup for RPC but it is for Sun RPC (ie Sun Microsystems who make a version of Unix called Solaris) and so this would not help you for AD anyway.