08-19-2002 12:31 PM - edited 03-08-2019 11:59 PM
We are installing a Windows 2000 domain controller on one of our DMZ's. I need to know what port/ports on the PIX will need to be open to the DNS server so that the domain controller can dynamically register its SRV records.
Port 53 any others?
Thanks in advance.
08-19-2002 11:06 PM
Although you should not provide authentication services or SMB access to the DMZ these are the ports you would open if you needed to provide those services.
LDAP 389
RPC 138-139
08-20-2002 03:46 AM
See the following MS webpage for further details on ports: http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q150543
08-21-2002 11:38 AM
One of the problems with locating a Win2K server in the DMZ, is that it needs to talk back to all DCs on the network, using all the wonderful ports that Microsoft uses. Depending on the size of your network, that could be a rules to create.
Another option that you have is to tunnel that traffic over IPSEC. We do this with many of the Outlook Web Access Servers that we install, in clients' DMZs. No only does this limit the number of ports that you need to open up, it also protects that data from being seen on the network.
There are a couple Microsoft articles you may want to check out.
Q254949
Q233256
Feel free to drop me an email if you have an quesitons.
08-23-2002 11:10 AM
I think this should do it. The WINS ports are not listed here but they are on the MS Website if you need to add them.
TCP and UDP
port-object range 137 139
port-object range 88 88
port-object range 1026 1026
port-object range 445 445
port-object range domain domain
port-object range 389 389
port-object range 135 135
port-object range 1065 1065
port-object eq kerberos
08-23-2002 11:15 AM
WINS needs 135, 137 and possibly 138
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide