Hi, Personally I agree with the approach being followed (allowing only traffic between certain hosts). However, remember to design/implement your replication topology in such a way that AD will not try to replicate between DCs that are not allowed to communicate through your tunnel! This can and will lead to ugly problems!
Just a little reminder, because I've seen it happening :p! Cheers! John -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: dinsdag 11 januari 2005 17:13 To: [email protected] Subject: RE: [ActiveDir] Slightly OT: Pix config for AD Replication Actually we are restricting which IP's can use the tunnel, there are only a few hosts on each site using the tunnel to pass data back and forth. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Tuesday, January 11, 2005 11:03 AM To: [email protected] Subject: RE: [ActiveDir] Slightly OT: Pix config for AD Replication >From a security standpoint only allowing communication via specific ports is always a better option, but in the case of Active Directory you need to open so many ports to enable full communication between the DCs that it's really pointless to lock it down by port. I would recommend setting up the VPN and making sure to restrict what IPs are able to use the tunnel. Phil List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
