RE: [ActiveDir] Ports during authentication/logons...
I would really suspect that this is soon not going to be true and may not be at this point (dont know havent asked yet). Think of it this way NAP (Network Access Protection) is going to have one heck of a time working if DC - Member isnt a supported scenario. As to the 135 traffic on AuthN Id happily take a look at the trace. Ill have a few minutes tomorrow. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, August 24, 2005 11:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ports during authentication/logons... I would normally look at the IPSec route, too, but it's not (as far as I know) supported by MS between domain members and DC's. It's supposed member-member and DC-DC, but not members-DC's. At least, not if Kerberos is used. Not sure how they feel about certs. Shared keys just wouldn't be an option. Specifically, though, they have their backs up with 135. Do you know what's using it during a logon/GPO process/?? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, August 24, 2005 10:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ports during authentication/logons... David, If you really, really want to use the absolute minimum ports through a firewall, use IPSec tunnel mode. However, your Network Engineers (or whoever manages your Firewalls) may not like it. Reason? Likely the same reason that I got when I suggested this at a previous employer: Well, if you put it in IPSec tunnels, then we wont be able to see or sniff it. My question: Why do you need to sniff or see it? No answer. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, August 24, 2005 10:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ports during authentication/logons... It's been a few weeks, so time for another question on ports. MS's whitepaper that discusses how to setup AD to communicate through a firewall (the one that focuses primarily on DC to DC communication) lists the following ports needed to service User Login and Authentication and Computer Login and Authentication: 445 TCP/UDP 88 TCP/UDP 389 UDP 53 TCP/UDP (I would add ICMP for GPO processing.) Most people who normally respond to what ports are needed... include 135. I just ran a Netmon trace during a logon from an XP machine and do see some traffic hitting 135. I also see traffic hitting 137 and 139. I'm not good at reading traces so I don't really know what's happening besides the basic traffic flow. Does anyone know what 135 (and 139 I suppose) are being used for? And if they're blocked does it totally break everything or just limit certain functions? I am not worried about DC to DC communication. The scenario is member systems separated from DC's with a firewall and the network folks want to allow the absolute minimum ports. Thx
RE: [ActiveDir] Ports during authentication/logons...
Youve likely seen this, but it does describe ports needed for REPLICATION However, Steve does talk about the benefits of using IPSec through a firewall Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, August 24, 2005 10:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ports during authentication/logons... It's been a few weeks, so time for another question on ports. MS's whitepaper that discusses how to setup AD to communicate through a firewall (the one that focuses primarily on DC to DC communication) lists the following ports needed to service User Login and Authentication and Computer Login and Authentication: 445 TCP/UDP 88 TCP/UDP 389 UDP 53 TCP/UDP (I would add ICMP for GPO processing.) Most people who normally respond to what ports are needed... include 135. I just ran a Netmon trace during a logon from an XP machine and do see some traffic hitting 135. I also see traffic hitting 137 and 139. I'm not good at reading traces so I don't really know what's happening besides the basic traffic flow. Does anyone know what 135 (and 139 I suppose) are being used for? And if they're blocked does it totally break everything or just limit certain functions? I am not worried about DC to DC communication. The scenario is member systems separated from DC's with a firewall and the network folks want to allow the absolute minimum ports. Thx
RE: [ActiveDir] Ports during authentication/logons...
Yeah I got that answer too. I asked that question you asked too. I got the well uh. Response. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, August 24, 2005 10:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ports during authentication/logons... David, If you really, really want to use the absolute minimum ports through a firewall, use IPSec tunnel mode. However, your Network Engineers (or whoever manages your Firewalls) may not like it. Reason? Likely the same reason that I got when I suggested this at a previous employer: Well, if you put it in IPSec tunnels, then we wont be able to see or sniff it. My question: Why do you need to sniff or see it? No answer. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, August 24, 2005 10:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ports during authentication/logons... It's been a few weeks, so time for another question on ports. MS's whitepaper that discusses how to setup AD to communicate through a firewall (the one that focuses primarily on DC to DC communication) lists the following ports needed to service User Login and Authentication and Computer Login and Authentication: 445 TCP/UDP 88 TCP/UDP 389 UDP 53 TCP/UDP (I would add ICMP for GPO processing.) Most people who normally respond to what ports are needed... include 135. I just ran a Netmon trace during a logon from an XP machine and do see some traffic hitting 135. I also see traffic hitting 137 and 139. I'm not good at reading traces so I don't really know what's happening besides the basic traffic flow. Does anyone know what 135 (and 139 I suppose) are being used for? And if they're blocked does it totally break everything or just limit certain functions? I am not worried about DC to DC communication. The scenario is member systems separated from DC's with a firewall and the network folks want to allow the absolute minimum ports. Thx
RE: [ActiveDir] Ports during authentication/logons...
I would normally look at the IPSec route, too, but it's not (as far as I know) supported by MS between domain members and DC's. It's supposed member-member and DC-DC, but not members-DC's. At least, not if Kerberos is used. Not sure how they feel about certs. Shared keys just wouldn't be an option. Specifically, though, they have their backs up with 135. Do you know what's using it during a logon/GPO process/?? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, August 24, 2005 10:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during authentication/logons... David, If you really, really want to use the absolute minimum ports through a firewall, use IPSec tunnel mode. However, your Network Engineers (or whoever manages your Firewalls) may not like it. Reason? Likely the same reason that I got when I suggested this at a previous employer: Well, if you put it in IPSec tunnels, then we wont be able to see or sniff it. My question: Why do you need to sniff or see it? No answer. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Wednesday, August 24, 2005 10:31 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Ports during authentication/logons... It's been a few weeks, so time for another question on ports. MS's whitepaper that discusses how to setup AD to communicate through a firewall (the one that focuses primarily on DC to DC communication) lists the following ports needed to service "User Login and Authentication" and "Computer Login and Authentication": 445 TCP/UDP 88 TCP/UDP 389 UDP 53 TCP/UDP (I would add ICMP for GPO processing.) Most people who normally respond to "what ports are needed..." include 135. I just ran a Netmon trace during a logon from an XP machine and do see some traffic hitting 135. I also see traffic hitting 137 and 139. I'm not good at reading traces so I don't really know what's happening besides the basic traffic flow. Does anyone know what 135 (and 139 I suppose) are being used for? And if they're blocked does it totally break everything or just limit certain functions? I am not worried about DC to DC communication. The scenario is member systems separated from DC's with a firewall and the network folks want to allow the absolute minimum ports. Thx
RE: [ActiveDir] Ports during authentication/logons...
Yes, member server to DC using IPSec is not supported. Well at least it wasn't in Windows 2000: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949 Not sure why port 135 would be required for logon. Just a thought in additional to port 3268, the information held in the GCis madeavailable via NSPI. Access to NSPI would be via the RPC end point mapper (port 135). So perhaps Outlook clients on the XP machines are generating the traffic on port 135? Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Thursday, 25 August 2005 4:11 p.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during authentication/logons... I would normally look at the IPSec route, too, but it's not (as far as I know) supported by MS between domain members and DC's. It's supposed member-member and DC-DC, but not members-DC's. At least, not if Kerberos is used. Not sure how they feel about certs. Shared keys just wouldn't be an option. Specifically, though, they have their backs up with 135. Do you know what's using it during a logon/GPO process/?? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, August 24, 2005 10:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during authentication/logons... David, If you really, really want to use the absolute minimum ports through a firewall, use IPSec tunnel mode. However, your Network Engineers (or whoever manages your Firewalls) may not like it. Reason? Likely the same reason that I got when I suggested this at a previous employer: Well, if you put it in IPSec tunnels, then we wont be able to see or sniff it. My question: Why do you need to sniff or see it? No answer. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Wednesday, August 24, 2005 10:31 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Ports during authentication/logons... It's been a few weeks, so time for another question on ports. MS's whitepaper that discusses how to setup AD to communicate through a firewall (the one that focuses primarily on DC to DC communication) lists the following ports needed to service "User Login and Authentication" and "Computer Login and Authentication": 445 TCP/UDP 88 TCP/UDP 389 UDP 53 TCP/UDP (I would add ICMP for GPO processing.) Most people who normally respond to "what ports are needed..." include 135. I just ran a Netmon trace during a logon from an XP machine and do see some traffic hitting 135. I also see traffic hitting 137 and 139. I'm not good at reading traces so I don't really know what's happening besides the basic traffic flow. Does anyone know what 135 (and 139 I suppose) are being used for? And if they're blocked does it totally break everything or just limit certain functions? I am not worried about DC to DC communication. The scenario is member systems separated from DC's with a firewall and the network folks want to allow the absolute minimum ports. Thx This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
RE: [ActiveDir] Ports during authentication/logons...
I hadn't noticed that section that specifically talks about GP. Thanks for the pointer. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Wednesday, August 24, 2005 11:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during authentication/logons... Actually, there's some information on Group Policy and port usage in this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 To successfully apply Group Policy, a client must be able to contact a domain controller over the DCOM, ICMP, LDAP, SMB, and RPC protocols. If any one of these protocols are unavailable or blocked between the client and a relevant domain controller, policy will not apply or refresh. So it looks like this is the culprit for Port 135. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Thursday, 25 August 2005 4:39 p.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during authentication/logons... Yes, member server to DC using IPSec is not supported. Well at least it wasn't in Windows 2000: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949 Not sure why port 135 would be required for logon. Just a thought in additional to port 3268, the information held in the GCis madeavailable via NSPI. Access to NSPI would be via the RPC end point mapper (port 135). So perhaps Outlook clients on the XP machines are generating the traffic on port 135? Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Thursday, 25 August 2005 4:11 p.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during authentication/logons... I would normally look at the IPSec route, too, but it's not (as far as I know) supported by MS between domain members and DC's. It's supposed member-member and DC-DC, but not members-DC's. At least, not if Kerberos is used. Not sure how they feel about certs. Shared keys just wouldn't be an option. Specifically, though, they have their backs up with 135. Do you know what's using it during a logon/GPO process/?? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, August 24, 2005 10:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ports during authentication/logons... David, If you really, really want to use the absolute minimum ports through a firewall, use IPSec tunnel mode. However, your Network Engineers (or whoever manages your Firewalls) may not like it. Reason? Likely the same reason that I got when I suggested this at a previous employer: Well, if you put it in IPSec tunnels, then we wont be able to see or sniff it. My question: Why do you need to sniff or see it? No answer. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Wednesday, August 24, 2005 10:31 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Ports during authentication/logons... It's been a few weeks, so time for another question on ports. MS's whitepaper that discusses how to setup AD to communicate through a firewall (the one that focuses primarily on DC to DC communication) lists the following ports needed to service "User Login and Authentication" and "Computer Login and Authentication": 445 TCP/UDP 88 TCP/UDP 389 UDP 53 TCP/UDP (I would add ICMP for GPO processing.) Most people who normally respond to "what ports are needed..." include 135. I just ran a Netmon trace during a logon from an XP machine and do see some traffic hitting 135. I also see traffic hitting 137 and 139. I'm not good at reading traces so I don't really know what's happening besides the basic traffic flow. Does anyone know what 135 (and 139 I suppose) are being used for? And if they're blocked does it totally break everything or just limit certain functions? I am not worried about DC to DC communication. The scenario is member systems separated from DC's with a firewall and the network folks want to allow the absolute minimum ports. Thx This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited