RE: [ActiveDir] icmp's

Fri, 30 Dec 2005 07:39:31 -0800 

You'll break GPO's.

We block ICMP to all VLAN's except to our management VLAN (where the DC's roam).

Tim

________________________________

From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Fri 12/30/2005 9:27 AM
To: [email protected]
Subject: Re: [ActiveDir] icmp's


All icmp traffic is being blocked between clients and DC's by a PIX firewall.
 
I just want to know how this will affect client logons.
 
I don't use the XP sp2 FW.
 
I'm not sure I understand "Beads" comment about blocking it on a straight lan.
How can you block traffic on a non segmented lan?
something has to be blocking the traffic on a L3 switch/router or on a firewall 
sitting between networks or vlans, etc.
we don't use personal sw firewalls here.
 
anyway, what i really would like to know is will blocking icmps om a pix fw 
between clients and DC's affect client logons or GPO processing?
 
Thanks a lot

 
On 12/30/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> 
wrote: 

        Group policy issues.
        
        On the XP sp2 machines if you enable the firewall but allow 445
        traffic... merely enabling 445 with also allow ICMP. 
        Product team did this because they need it for group policy.
        
        See discussion on focusonms listserve way back when XP sp2 first came 
out.
        
        [Fire up your firewall and in the advanced window you can see it too] 
        
        Tom Kern wrote:
        
        > What affect would blocking icmp packets on all vlans have on win2k/xp
        > client logons in a win2k forest?
        > any?
        >
        > I know clients ping dc's to see which responds first and later ping 
        > dc's to determine round trip time for GPO processing, but would
        > blocking icmp's have any adverse affects on clients?
        > I only ask because my corp blocks icmp's on all our vlans and i get a
        > lot of event id 1000 from Usernev with error code of 59 which when i 
        > looked up, refers to network connectivity issues. i think this event
        > id is related to the fact we block icmp packets and i was wondering if
        > thats something i should worry about in a win2k network. 
        > Thanks
        
        List info   : http://www.activedir.org/List.aspx
        List FAQ    : http://www.activedir.org/ListFAQ.aspx 
        List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

<<winmail.dat>>

Reply via email to