SMTP transport isn't an option? When you lock down the RPC ports, what you are really doing is just pre-seeding what would otherwise be a random allocation. I.e. instead of negotiating from a pool of possible, you're telling the RPC process to always pick port xxxx. Saturation would occur regardless, so this wouldn't be an issue.
Out of curiosity, when you say make it visible, is that for IDS purposes? If so, are they able to track RPC traffic? Also, have you looked at what ISA can do for you in this situation? It might be worth it to use ISA to terminate the IPSec tunnel and then audit from there. Just a thought. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeGrands, Charles Sent: Tuesday, October 19, 2004 2:04 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD through a firewall Hello all, Environment - Mixed mode Windows 2000 and 2003 domain controllers. One empty root and 8 child domains. Most domains have 3-5 DCs for redundancy and DR. One domain has 25 DCs for their branch offices, but they are not behind any firewalls. Two of the domains are behind separate internal firewalls. We currently have the communication going through the firewall via IPSec, but one of the domains wants the traffic to be "visible" for auditing purposes. Questions - Regarding ports required for AD replication over a firewall (using the MS white paper as a reference), would limiting RPC to one port make ourselves susceptible to saturation? There is some client communication to worry about, from a few clusters. Is there a way to make this entry a range versus just one port? Would we have to make this registry modification on all DCs that are not behind a firewall or just the ones that we would like to limit? Scenario: Rootdc is on the Corporate side of the firewall with most of the DCs. ChildDC1 is also on the Corporate side of the firewall. ChildDC2 is behind a divisional firewall. We make the limited RPC registry entry on Rootdc and ChildDC2, but do we have to make it on ChildDC1 as well? Another q article, 154596, mentions RPC dynamic port allocation as well, but I noticed it was different registry key than the DC-DC communication. Would creating a range this way solve the one port listing from above? Thank you for your assistance, Charles ---------------------------------------------------------------------------- -- The information in this e-mail and any attachments are for the sole use of the intended recipient and may contain privileged and confidential information. If you are not the intended recipient, any use, disclosure, copying or distribution of this message or attachment is strictly prohibited. If you believe that you have received this e-mail in error, please contact the sender immediately and delete the e-mail and all of its attachments. ============================================================================ == List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
