To allow this through the PIX Firewall, you are required by Microsoft to

open a plethora of ports and protocols. The following URL explains those

ports:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q280132&

As an example, here is what should be done:

Inside Server IP - 10.10.10.10

Public IP for server - 11.11.11.11

static (inside,outside) 11.11.11.11 10.10.10.10 netmask 255.255.255.255

If you are using access lists:

access-list outside permit tcp any host 11.11.11.11 eq 53

access-list outside permit udp any host 11.11.11.11 eq 53

access-list outside permit tcp any host 11.11.11.11 eq 88

access-list outside permit udp any host 11.11.11.11 eq 88

access-list outside permit tcp any host 11.11.11.11 eq 123

access-list outside permit tcp any host 11.11.11.11 eq 135

access-list outside permit tcp any host 11.11.11.11 eq 389

access-list outside permit udp any host 11.11.11.11 eq 389

access-list outside permit tcp any host 11.11.11.11 eq 445

access-list outside permit tcp any host 11.11.11.11 eq 3268

There is one portion in there that requires you to edit the registry for it to use a certain port:

* One port for the Active Directory logon and directory replication interface (universally unique identifiers [UUIDs] 12345678-1234-abcd-ef00-01234567cffb and e3514235-4b06-11d1-ab04-00c04fc2dcd2), which is typically assigned port 1025 or 1026 during startup. This value is not set in the DSProxy or System attendant (MAD) source code, so you need to map the port in the registry and then open the port on the firewall.

You then can add the access list:

access-list outside permit tcp any host 11.11.11.11 eq

There are instructions on how to accomplish this. Another option to use is to open all the ports so that you won't have to edit the registry:

access-list outside permit tcp any host 11.11.11.11 range 1024 65534

This is what Microsoft requires to get this working. They nearly eliminate the Firewall altogether but it really is the only way to make it work.

HTH

R/Yusuf