>From a security standpoint only allowing communication via specific ports is always a better option, but in the case of Active Directory you need to open so many ports to enable full communication between the DCs that it's really pointless to lock it down by port. I would recommend setting up the VPN and making sure to restrict what IPs are able to use the tunnel.
Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Tuesday, January 11, 2005 10:45 AM To: [email protected] Subject: [ActiveDir] Slightly OT: Pix config for AD Replication I'm working on setting up a site-to-site VPN using Cisco Pix 525's. I need to test Active Directory replication over the VPN as we will have domain controller's on each of the two sites connected via VPN. I've been reading various articles on either setting the Pix's up for "wide open" communication between the DC's or for manually allowing each port needed for AD/DNS replication. Has anyone got suggestions as to the best way to proceed? Thanks in advance group! List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
