|
I would really suspect that this is soon
not going to be true – and may not be at this point (don’t know –
haven’t asked yet…). Think of it this way – NAP (Network
Access Protection) is going to have one heck of a time working if DC <->
Member isn’t a supported scenario. As to the 135 traffic on AuthN – I’d
happily take a look at the trace. I’ll have a few minutes tomorrow. Rick From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner I would normally look at the IPSec route,
too, but it's not (as far as I know) supported by MS between domain members and
DC's. It's supposed member<->member and DC<->DC, but not
members<->DC's. At least, not if Kerberos is used. Not sure
how they feel about certs. Shared keys just wouldn't be an option. Specifically, though, they have their
backs up with 135. Do you know what's using it during a logon/GPO
process/?? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan David, If you really, really want to use the
absolute minimum ports through a firewall, use IPSec tunnel mode.
However, your Network Engineers (or whoever manages your Firewalls) may not
like it. Reason? Likely the same reason that I got when I suggested
this at a previous employer: “Well, if you put it in IPSec
tunnels, then we won’t be able to see or sniff it.” My question: “Why do you need
to sniff or see it?” No answer…. Rick From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner It's been
a few weeks, so time for another question on ports. MS's whitepaper that
discusses how to setup AD to communicate through a firewall (the one that
focuses primarily on DC to DC communication) lists the following ports needed
to service "User Login and Authentication" and "Computer Login
and Authentication": 445
TCP/UDP 88
TCP/UDP 389 UDP 53
TCP/UDP (I would
add ICMP for GPO processing.) Most
people who normally respond to "what ports are needed..." include
135. I just
ran a Netmon trace during a logon from an XP machine and do see some traffic
hitting 135. I also see traffic hitting 137 and 139. I'm not good
at reading traces so I don't really know what's happening besides the basic
traffic flow. Does anyone know what 135 (and 139 I suppose)
are being used for? And if they're blocked does it totally break everything or
just limit certain functions? I am not worried about DC to DC communication.
The scenario is member systems separated from DC's with a firewall and the
network folks want to allow the absolute minimum ports. Thx |
