cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
470
Views
0
Helpful
4
Replies

Active Directory thru Pix

lee.messenger
Level 1
Level 1

Hi,

I have 2 active directory forests that reside on either side of my PIX.

Forest A is on Inside interface

Forest B is on a DMZ interface security level 50

The Microsoft guys would like to setup a trust between the 2 forests.

In order to do this, RPC traffic, both port 135 and RPC dynamic ports (1024-65535) need to be allowed, I don't however want to open those high ports unless I have to.

My Microsoft guy said that the firewall should be able to inspect RPC traffic in order to dynamically open higher ports when required by the application.

I don't see a fixup for RPC on the Pix however.

Couldn't anyone shed some light on how I can make the Pix aware of the RPC traffic between the 2 AD forests.

Thanks

Lee

4 Replies 4

srue
Level 7
Level 7

have your MS admins configure either a PPTP or IPSEC tunnel between the servers in one forest with the servers in the other forest. This will minimize the number of ports you need to allow.

Have them search the MS KB for instructions on this - they're out there.

I don't have a pointer to the MS KB article, but it's also possible to configure the servers to use a restricted port range for RPC (say, 5000 - 6000), and only open that range.

Jon Marshall
Hall of Fame
Hall of Fame

Hi Lee

Steven's solution is the best way to secure this traffic if you have to do this.

The pix does have a fixup for RPC but it is for Sun RPC (ie Sun Microsystems who make a version of Unix called Solaris) and so this would not help you for AD anyway.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: