Actually we are restricting which IP's can use the tunnel, there are only a few hosts on each site using the tunnel to pass data back and forth.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Tuesday, January 11, 2005 11:03 AM To: [email protected] Subject: RE: [ActiveDir] Slightly OT: Pix config for AD Replication >From a security standpoint only allowing communication via specific ports is always a better option, but in the case of Active Directory you need to open so many ports to enable full communication between the DCs that it's really pointless to lock it down by port. I would recommend setting up the VPN and making sure to restrict what IPs are able to use the tunnel. Phil List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
