Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NT domain authentication and Exchange 2000

Does anyone have a link to information on configuring the PIX to allow NT authentication from windows clients to Windows2000 AD? We are looking to create a secure connection to a business partner which wil also be installing a PIX. They are physically located where we can connect them with a crossover cable. We are both planning to have outbound any any rules but would like to have the ability to authenticate to each others domains. There is currently a trust between the two domains and no firewalls in place. We would like to control inbound access to our network resources. Any help appreciated.

3 REPLIES
Silver

Re: NT domain authentication and Exchange 2000

What do you mean by outbound any any rules? You are expecting to block only on the inbound?

You need to fully describe the architecture. Are both domains AD, or is one? What client OS's? Are you using WINS (if so, you need to track down the wins replication ports, tcp 42 IIRC).

To start, you will need 135-139,445 open for tcp and udp, for windows filesharing and auth to work. Depending of the state of win2k rollout, you might need to open up global catalog ports, ldap (tcp 389), kerberos (88tcp/udp), etc.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/exchange/exchange2000/reskit/resguide/appendb.asp

For what it is worth, implementing a trust between two orgs is an enormous security commitment. If I had to do such a thing, I would spend a lot of time worrying about the security of the servers and desktops at the machine level, more so than the network level. To have the trust work at the network level requires opening a ton of ports, so to get good granular security, you need to work on the actual boxes.

I would strongly consider subnetting or isolating desktop machines. There really should be no reason that corp A's desktops need to talk to corp B's desktops. By blocking all such commo, you can reduce risk of spreading worms, virii,etc.

As part of the trust agreement, each org should get a test account in the remote domain. This should be a regular user account. You should spend a lot of time with this user account trying to see what you can access with it in your own organization.

Good luck

Matt

New Member

Re: NT domain authentication and Exchange 2000

http://www.jsifaq.com/SUBM/tip6200/rh6234.htm

nice high-level overview of what ports and services do what.

hope this helps.

New Member

Re: NT domain authentication and Exchange 2000

How are the two domains connected now? Through a router, VLAN's, etc? Tight NTFS permissions and group policy may be a better answer, unless you are only wanting to allow certain IP Addresses and ports through the Firewall. If there is an existing router between the domains, you may be able to configure ACL's on the router without adding the extra expense of a PIX.

110
Views
0
Helpful
3
Replies
CreatePlease login to create content