Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NTLM through Pix

Hi all,

Can anyone tell me how to configure pix so that I can get NTLM authentication working. I have a web server in my DMZ which needs to talk to my inside network to allow the authentication to function. What ports do I need to open up?

Thanks

Santosh

3 REPLIES
Silver

Re: NTLM through Pix

So the DMZ web server is a domain member server that needs to talk to a domain controller? tcp and udp ports 135-139 should do the trick

New Member

Re: NTLM through Pix

Yes, the DMZ web server needs to talk to the domain contoller. Port 135 suggests rpc need to be opened as well. Any advice on this?

Silver

Re: NTLM through Pix

By allowing ports 135 and 139 to your inside DCs, you've eliminated most of the security gained by hosting your web server in the DMZ. Somone hacks IIS [easy] on that server, it has access to your DCs plus valid domain accounts, and voila! Your DCs are owned too with little effort!

You should try to implement in such a manner that your DMZ web server is not on the internal domain.

-Shannon

303
Views
0
Helpful
3
Replies
CreatePlease login to create content