There is a technote out there but this may help
How to enable communication from a Windows OS Active Directory Client to the Active Directory Server across a firewall
The following ports will be used for outbound communication from the client to the server. This assumes that a stateful firewall is being used to allow inbound communication from the server.
- DNS will be using TCP and UDP port 53
- Network Time Protocol (NTP) if required uses TCP port 123
- Microsoft’s implementation of Kerberos will be using TCP and UDP port 88 (Note this may be non-standard compared to the MIT Kerberos implementation)
- The EndpointMapper for RPC services will use TCP port 135
- LDAP will use TCP port 389 and Microsoft uses an LDAP “ping” on UDP port 389
- Server Messaging Block services (SMB, SAMBA) will use TCP port 445
- Global Catalog services use TCP port 3268 – this should be necessary when logging into forests with more than one domain
- The last port is used for Active
Directory Logon and replication. Normally this is a dynamic port. For security
reasons this should be configured to use a static port, so that the firewall
rules can be specific. To configure this open the registry on each Domain
controller that needs to be contacted through the firewall. Navigate to
the following Key – HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Add a new value with the following properties:
- Value Name: “TCP/IP Port”
- Data Type: “REG_DWORD”
- Radix: “Decimal”
- Value: some number between 1025 and 65534, we will standardize on “1025”
Additional configuration will be needed for specific application access and use, such as Exchange
"Brad Martin" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]02/13/2003 04:37 PM
Please respond to ActiveDir
To: "Active Directory Mailing List" <[EMAIL PROTECTED]>
cc:
Subject: [ActiveDir] Locking down network access
Does anyone have a list of what ports need to be open on a firewall to access things like Active Directory, WINS, DNS, mapping drives, etc.? We need to lock down a section of our network and we only want to let the bare minimum through our firewall. Thanks.
Brad Martin
Go Daddy Software, Inc.
480.505.8800 ext. 250
[EMAIL PROTECTED]
http://www.godaddy.com
