RE: Active Directory Ports & PIX [7:19772]

Sat, 15 Sep 2001 20:16:54 -0700 

You also need to specify what is where ...
... AD servers in DMZ / outside or the client PC's in the DMZ / outside?
Hopefully, AD inside ... but then again, hopefully you would use a VPN for
the outside boxes to connect.


One possible, semi-allowable exception - multiple firewalls; either layered
or separate .. AD is supposed to be all encrypted, no?

Separate:
Running on theory here ... you would still hopefully use a PIX2PIX VPN!
But ... I believe TCP ports 135-139 and 445 are used, dunno if all are
needed tho'.  

Layered:
We have one client that has the primary firewall, which has the AD server
and some Web/APP server ... they also have another PIX behind the first PIX,
which then houses some DB servers.  I believe, the DB servers were able to
join the domain w/o any config changes as they were outbound connections.
One issue we had - the DB server registered themselves in DDNS with their
INTERNAL addresses  so all of the other boxes
using AD provided DNS could not reach them  address to reach them>.


Thanks!
TJ

 -----Original Message-----
From:   Patrick Ramsey [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, September 13, 2001 11:24 AM
To:     [EMAIL PROTECTED]
Subject:        Re: Active Directory Ports & PIX [7:19772]

Allowing a server access to all domain functions completely defies putting
it in a DMZ...  That means if any one person broke into a box in the dmz, he
has access to the entire domain.... not a good idea..

-Patrick

>>> "Dave Luancing"  09/13/01 10:36AM >>>
Does anyone know what ports need to be opened in a PIX
to allow servers to join the domain and replicate.

Thanks,
         Dave

__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.         
*****************************************************************************




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=20092&t=19772
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to