Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1451
Views
0
Helpful
3
Replies

NT domain authentication and Exchange 2000

mabouchard
Level 1
Level 1

‎04-16-2003 04:57 PM - edited ‎02-21-2020 10:06 AM

Does anyone have a link to information on configuring the PIX to allow NT authentication from windows clients to Windows2000 AD? We are looking to create a secure connection to a business partner which wil also be installing a PIX. They are physically located where we can connect them with a crossover cable. We are both planning to have outbound any any rules but would like to have the ability to authenticate to each others domains. There is currently a trust between the two domains and no firewalls in place. We would like to control inbound access to our network resources. Any help appreciated.

Labels:
0 Helpful
3 Replies 3

mostiguy
Level 6
Level 6

‎04-17-2003 05:37 AM

What do you mean by outbound any any rules? You are expecting to block only on the inbound?

You need to fully describe the architecture. Are both domains AD, or is one? What client OS's? Are you using WINS (if so, you need to track down the wins replication ports, tcp 42 IIRC).

To start, you will need 135-139,445 open for tcp and udp, for windows filesharing and auth to work. Depending of the state of win2k rollout, you might need to open up global catalog ports, ldap (tcp 389), kerberos (88tcp/udp), etc.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/exchange/exchange2000/reskit/resguide/appendb.asp

For what it is worth, implementing a trust between two orgs is an enormous security commitment. If I had to do such a thing, I would spend a lot of time worrying about the security of the servers and desktops at the machine level, more so than the network level. To have the trust work at the network level requires opening a ton of ports, so to get good granular security, you need to work on the actual boxes.

I would strongly consider subnetting or isolating desktop machines. There really should be no reason that corp A's desktops need to talk to corp B's desktops. By blocking all such commo, you can reduce risk of spreading worms, virii,etc.

As part of the trust agreement, each org should get a test account in the remote domain. This should be a regular user account. You should spend a lot of time with this user account trying to see what you can access with it in your own organization.

Good luck

Matt

0 Helpful

b-pelphrey
Level 1
Level 1
In response to mostiguy

‎04-17-2003 05:48 AM

http://www.jsifaq.com/SUBM/tip6200/rh6234.htm

nice high-level overview of what ports and services do what.

hope this helps.

0 Helpful

wolfrikk
Level 3
Level 3

‎04-22-2003 07:53 AM

How are the two domains connected now? Through a router, VLAN's, etc? Tight NTFS permissions and group policy may be a better answer, unless you are only wanting to allow certain IP Addresses and ports through the Firewall. If there is an existing router between the domains, you may be able to configure ACL's on the router without adding the extra expense of a PIX.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents