Check out this article for restricting the range of dynamic
ports used by RPC/DCOM.
Darren
Darren Mar-Elia
For comprehensive
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs,
video training, tools and whitepapers. Also check out the Windows
Group Policy Guide, the definitive resource for Group Policy
information.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Wang
Sent: Thursday, July 27, 2006 12:02 PM
To: [email protected]
Subject: [ActiveDir] Firewall block Group Policy
When user on VPN network, they can not apply Group Policy since there is a firewall between VPN network and Internal network. Now, I need to find out how many ports are required to allow clients to successfully apply group policy.
Based on KB832017, "To successfully apply Group Policy, a client must be able to contact a domain controller over the DCOM, ICMP, LDAP, SMB, and RPC protocols."
Here is the list port information:
Application protocol Protocol Ports
DCOM TCP + UDP random port number between 1024 - 65534
ICMP (ping) ICMP 20
LDAP TCP 389
SMB TCP 445
RPC TCP 135, random port number between 1024 - 65534
It is not feasible to open up so many high ports (1024 - 65534). So do you have any recommendation for this issue?
Thanks in advance!
Andy
