Open ports? a member server behind a firewall.

[Ulrik]

Hi

Windows 2003 Active Directory and Windows 2003 member server.
The member server is behind a firewall. The rest of the Windows 2003 domain
are located on an Intranet.

What ports are needed to be open from the member server to Domain Controller
to authenticated and be a domain member?

This are the ports I guess I have to open (from member to DC)
ICMP/Echo (ping)
UDP/TCP 53 (DNS)
UDP/TCP 88 (Kerberos authentication)
UDP/123 (Network Time Protocol-NTP)
UDP/TCP 389 (LDAP Access)
TCP 445 (Microsoft Directory Service)
UDP/137 Permit NetBIOS Name Resolution
UDP/138 Permit NetBIOS Datagram Service
TCP/139 Permit NetBIOS Session Service

I guess I also need this ports?
TCP 135 (RPC Endpoint Mapper)
I'll need to allow one high port for Active Directory logon, greater than
1024. (The one you can get static through a reghack)

Do I need to open any port from the Domain Controller to the member server?

Best regards

/Ulrik

 

[Yonkey]

You just need to open port on your internal firewall

 

[ptwilliams]

Here's the new and improved KB:
http://support.microsoft.com/?id=832017


--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


You just need to open port on your internal firewall

 

[Ulrik]

What do you mean?
The member server is a Windows 2003 Terminal Server and it is located on a
DMZ.

I know I have to allow traffic from member server to DC (configured on my
'internal' firewall).

The Question:
But do I also need to open ports from my DC to the member server (on my
'internal' firewall)?

/Ulrik

 

[Herb Martin]

That would be a great idea for "Server Power Tools" if
some programmer would create a program that understands
this document, could be modified and one could check off
the service(s) and get back a list of ports etc.

(With options for IPSec and/or Cisco format would be really great.)

 

[Yonkey]

No, just open the ports on your Internal Firewall

 

[ptwilliams]

I believe you will need information to pass in both directions, thus
necessitating bi-directional rules on the internal firewall.

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


What do you mean?
The member server is a Windows 2003 Terminal Server and it is located on a
DMZ.

I know I have to allow traffic from member server to DC (configured on my
'internal' firewall).

The Question:
But do I also need to open ports from my DC to the member server (on my
'internal' firewall)?

/Ulrik

 

[Eric Chamberlain, CISSP]

What do you mean?
The member server is a Windows 2003 Terminal Server and it is located on a
DMZ.

I know I have to allow traffic from member server to DC (configured on my
'internal' firewall).

The Question:
But do I also need to open ports from my DC to the member server (on my
'internal' firewall)?

You don't need to open ports from the DC to the member server. The member
server initiates communication with the DC.