DC through FireWall

[Guest]

We have a DC inside a DMZ (where traffic has to go through a firewall to get
from our privet network to the DC). We have already opened the ports we need
between it and another DC for replication and that is working. Don’t ask why
it is setup this way; it certainly is not the way I would like it to be.

I need to know what ports we need to open so that client computers from our
privet network can go through the firewall and connect to this DC.

Right now only port 389 is opened, which seems to be just enough to drive
client computers made. They see it as a working DC, but can't connect. For
some reason they are not even timing out, which causes them to basically
lockup. The user then has to do a forced power-off and hope it chooses a
different DC next time.

We are running Windows 2000 on all of our Domain Controllers.

 

[Trust No One®]

We have a DC inside a DMZ (where traffic has to go through a firewall
to get from our privet network to the DC). We have already opened
the ports we need between it and another DC for replication and that
is working. Don't ask why it is setup this way; it certainly is not
the way I would like it to be.

I'd recommend the white paper "Active Directory in networks segmented by
firewalls" at:

http://tinyurl.com/3gkyc

It should address your question.

There is also an article written by Steve Riley which can be found if you
dig around a bit on the Microsoft website - afraid I've forgotten the title


I agree with your thoughts. We have a separate AD forest in our DMZ.

 

[Guest]

Thanks for the info, very helpful. Now from Appendix D we have:
", the directory service can be restricted to communicate on a static port
which can be set using the following registry entry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"TCP/IP Port"=dword:0000c000
Changing this registry key on a domain controller and rebooting it causes
the directory service to use the TCP port named in the registry entry. In the
case above, it is port 49152(hexadecimal 0000c000)."

Does the process described above effect all Domain Controllers, or just the
one. Also, does that setting need to be set on just the DC in the DMZ, or
does it also need to be set on its replication partners?

 

[Trust No One®]

Thanks for the info, very helpful. Now from Appendix D we have:
", the directory service can be restricted to communicate on a static
port which can be set using the following registry entry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"TCP/IP Port"=dword:0000c000
Changing this registry key on a domain controller and rebooting it
causes the directory service to use the TCP port named in the
registry entry. In the case above, it is port 49152(hexadecimal
0000c000)."

Does the process described above effect all Domain Controllers, or
just the one. Also, does that setting need to be set on just the DC
in the DMZ, or does it also need to be set on its replication
partners?

The setting is a local registry setting on the domain controller, and will
apply only to the domain controller on which it is set.

You will only need to set it on domain controllers which will be actually be
communicating across the firewall - you can then set rules to lock down the
firewall to the particular port(s) and IP addresses of the DCs. You do not
need to set it on all domain controllers - the RPC endpoint mapper will
ensure that DCs can communicate even if they are using different ports for
replication

BTW - The Steve Riley article I mentioned in my earlier post is at:

http://tinyurl.com/335c2

This also discusses using IPSEC to encapsulate the traffic. I haven't
actually tried this out so can't help much in this area.

Best Wishes
Peter

 

[Jorge_de_Almeida_Pinto]

We have a DC inside a DMZ (where traffic has to go through a
firewall to get
from our privet network to the DC). We have already opened
the ports we need
between it and another DC for replication and that is working.
Don’t ask why
it is setup this way; it certainly is not the way I would like
it to be.

I need to know what ports we need to open so that client
computers from our
privet network can go through the firewall and connect to this
DC.

Right now only port 389 is opened, which seems to be just
enough to drive
client computers made. They see it as a working DC, but can't
connect. For
some reason they are not even timing out, which causes them to
basically
lockup. The user then has to do a forced power-off and hope
it chooses a
different DC next time.

We are running Windows 2000 on all of our Domain Controllers.

Let me just check this setup...

are you saying you have a DC from a your internal AD in your DMZ and
that DC replicates with the internal DCs?

In my opinion:
internet = untrusted
dmz = although a bit more trusted, to me still untrusted
internal = mostly trusted

remember if someone hacks your DC in the DMZ and is able to get all
kinds of credentials and is able to see the DC is part of the internal
AD, your internal AD is bye bye. well the rest you can guess

 

[Guest]

389 alone is not enough for authentication. Microsoft published a great white
paper for configuring domain controllers behind a firewall. I believe it is
called "Active Directory in networks segmented by firewalls". You will need
some other ports such as 88 TCP/UDP (Kerberos), 445 TCP/UDP (SMB), 389
TCP/UDP and possibly 53 TCP/UDP. Search for that document.

If possible, it is best to just use IPSec. That only requires IP Protocol 50
and UDP 500 (IKE).