Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ports needed to be open for Windows 2000 Domain Controller

We are installing a Windows 2000 domain controller on one of our DMZ's. I need to know what port/ports on the PIX will need to be open to the DNS server so that the domain controller can dynamically register its SRV records.

Port 53 any others?

Thanks in advance.

  • Other Security Subjects
5 REPLIES
New Member

Re: Ports needed to be open for Windows 2000 Domain Controller

Although you should not provide authentication services or SMB access to the DMZ these are the ports you would open if you needed to provide those services.

LDAP 389

RPC 138-139

New Member

Re: Ports needed to be open for Windows 2000 Domain Controller

See the following MS webpage for further details on ports: http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q150543

New Member

Re: Ports needed to be open for Windows 2000 Domain Controller

One of the problems with locating a Win2K server in the DMZ, is that it needs to talk back to all DCs on the network, using all the wonderful ports that Microsoft uses. Depending on the size of your network, that could be a rules to create.

Another option that you have is to tunnel that traffic over IPSEC. We do this with many of the Outlook Web Access Servers that we install, in clients' DMZs. No only does this limit the number of ports that you need to open up, it also protects that data from being seen on the network.

There are a couple Microsoft articles you may want to check out.

Q254949

Q233256

Feel free to drop me an email if you have an quesitons.

New Member

Re: Ports needed to be open for Windows 2000 Domain Controller

I think this should do it. The WINS ports are not listed here but they are on the MS Website if you need to add them.

TCP and UDP

port-object range 137 139

port-object range 88 88

port-object range 1026 1026

port-object range 445 445

port-object range domain domain

port-object range 389 389

port-object range 135 135

port-object range 1065 1065

port-object eq kerberos

New Member

Re: Ports needed to be open for Windows 2000 Domain Controller

WINS needs 135, 137 and possibly 138

204
Views
0
Helpful
5
Replies
This widget could not be displayed.