RE: [ActiveDir] Joining computer to a domain... And Kpassword po rt 446.

Tue, 06 Apr 2004 06:39:10 -0700

Title: Message

Thanks Ulf.

 

Todd

 

From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 06, 2004 9:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Joining computer to a domain... And Kpassword port 446.

 

Sorry - the picture is somewhat in German, but mentiones the (maximum set of) Ports we had to open at a customer to have machines working through a firewall. I hope it gives you and idea to start. Be aware that RPC needs mappes to dynamic ports above 1024, AFAIK we just opened a couple which also worked (I just had to tell the network service guys which ports we require, they decided what to open up and didn't provide feedback).

 

Ulf B. Simon-Weidner

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)
Sent: Montag, 5. April 2004 07:26
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Joining computer to a domain... And Kpassword port 446.

Greetings all...

 

I just had someone stop by my office asking what ports need to be open to allow a machine to join a domain.  It appears these security “experts” feel that they need to limit the communication both inbound… and outbound.  (Don’t get me started on the outbound part…)

 

They said that when they tried to join the computer to the domain that it wouldn’t work.  But when the turn off the outbound rule set in the high order range, “Communication” worked.  I have several papers on firewall configuration for AD.  But I have not found a reference that discusses what ports are necessary to all a machine to be “joined” to a domain.

 

My assumption is that it would require all the base ports… 88, 123, 54, 389, 445, but does it require any dynamic ports.  I will probably run a packet sniffer later this week to check this out myself, but if anyone can quickly comment, it would be appreciated.

 

Also,

 

Reading the latest Microsoft Whitepaper on Kerberos Troubleshooting, I noticed that they listed port 446, for password resets for Kerberos V5.  According to Microsoft Firewall White Papers for AD, this port is never mentioned.  So my question is, is it required for Microsoft Kerberos clients, or if you are using a mixture of clients.

 

Thanks,

 

Todd  

Reply via email to