12-17-2001 12:18 PM - edited 03-08-2019 09:25 PM
I have pix 515r.
In my Inside is conected my PDC (Domain Controller) Windows Server NT 4.0, and I´ve problems with my Pc´s and servers conected in DMZ, they can´t logon in my Domain.
I supposed I need open more ports between dmz and Inside, can you help me? please.
Guadalajara Mex.
12-17-2001 01:03 PM
not only will you need ports 137 138 and 139 opened between your internal network and the DMZ, but you must permit broadcasts with a helper address for each hop in between your server and the client request. Hope this helps!
12-18-2001 10:09 AM
when you said... helper address! do you refer to WINS server? or Hosts File? for name resolution!
Could you be more specific? for help me!
12-17-2001 01:44 PM
Karla,
It is a little risky to open up your Netbios ports into the DMZ, it is not recommended that you allow any one from the dmz to logon in to your domain, so they can have access to domain user list and share resorces.
12-17-2001 04:41 PM
I strongly agree with Hector. By opening the ports to allow NETbios traffic to flow freely, you might as well place the DMZ servers in your internal network. These ports make your internal network vulnerable for a number of attacks as soon as a DMZ server becomes compromised. You might want to reconsider your decision in favor of security.
12-17-2001 06:37 PM
Carla,
What does your config look like? What version of code is on your PIX? You may just need to have the fixup protocols and correct ACL statements or conduits open between your DMZ interface and your inside interface. If you do a search on TAC's web site there are great examples on how you can make this work without exposing yourself to too much risk...
Hope this helps.
Alan
12-18-2001 10:06 AM
Thanks for all you,
My problem is:
When I try to make new mailbox, domain controller couldn´t be found, and I can´t link mailbox with NT Account.
What can I do?
My Version is v.5.3(1)
12-18-2001 10:58 AM
Carla,
I would put the Exchange server on your inside network and put a SMTP relay on your DMZ and only allow port 25 in and out and set up a atatic to allow this. All mail forwarding should take place on the DMZ. not only does this provide alittle bit more security you can also to some degree control SPAM. Post.Office is a good SMTP freeware program you can look them up on the web. Hope this helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide