Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
0
Helpful
7
Replies

Simple Problem

CARLA.GONZALEZ
Level 1
Level 1

‎12-17-2001 12:18 PM - edited ‎03-08-2019 09:25 PM

I have pix 515r.

In my Inside is conected my PDC (Domain Controller) Windows Server NT 4.0, and I´ve problems with my Pc´s and servers conected in DMZ, they can´t logon in my Domain.

I supposed I need open more ports between dmz and Inside, can you help me? please.

Guadalajara Mex.

Labels:
0 Helpful
7 Replies 7

almazana
Level 1
Level 1

‎12-17-2001 01:03 PM

not only will you need ports 137 138 and 139 opened between your internal network and the DMZ, but you must permit broadcasts with a helper address for each hop in between your server and the client request. Hope this helps!

0 Helpful

CARLA.GONZALEZ
Level 1
Level 1
In response to almazana

‎12-18-2001 10:09 AM

when you said... helper address! do you refer to WINS server? or Hosts File? for name resolution!

Could you be more specific? for help me!

0 Helpful

elepazote
Level 1
Level 1

‎12-17-2001 01:44 PM

Karla,

It is a little risky to open up your Netbios ports into the DMZ, it is not recommended that you allow any one from the dmz to logon in to your domain, so they can have access to domain user list and share resorces.

0 Helpful

rrbleeker
Level 1
Level 1
In response to elepazote

‎12-17-2001 04:41 PM

I strongly agree with Hector. By opening the ports to allow NETbios traffic to flow freely, you might as well place the DMZ servers in your internal network. These ports make your internal network vulnerable for a number of attacks as soon as a DMZ server becomes compromised. You might want to reconsider your decision in favor of security.

0 Helpful

alan.basinger
Level 1
Level 1

‎12-17-2001 06:37 PM

Carla,

What does your config look like? What version of code is on your PIX? You may just need to have the fixup protocols and correct ACL statements or conduits open between your DMZ interface and your inside interface. If you do a search on TAC's web site there are great examples on how you can make this work without exposing yourself to too much risk...

Hope this helps.

Alan

0 Helpful

CARLA.GONZALEZ
Level 1
Level 1
In response to alan.basinger

‎12-18-2001 10:06 AM

Thanks for all you,

My problem is:

When I try to make new mailbox, domain controller couldn´t be found, and I can´t link mailbox with NT Account.

What can I do?

My Version is v.5.3(1)

0 Helpful

jangeja
Level 1
Level 1
In response to CARLA.GONZALEZ

‎12-18-2001 10:58 AM

Carla,

I would put the Exchange server on your inside network and put a SMTP relay on your DMZ and only allow port 25 in and out and set up a atatic to allow this. All mail forwarding should take place on the DMZ. not only does this provide alittle bit more security you can also to some degree control SPAM. Post.Office is a good SMTP freeware program you can look them up on the web. Hope this helps

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents