Which is not to say that no firewalls support it. There's at least a
couple that do support it, even with NAT enabled.
As far as NetLogon - logging in to a PDC - you don't necessarily need
port 137 - if you have your LMHOSTS file configured completely and
correctly. 137/udp is used for WINS. You will need 138/udp and 139/tcp
for sure.
I do agree that VPNs are safer because the traffic can be encrypted and
authenticated between tunnel endpoints (but not between the domain
member and PDC in this case), but it may not be appropriate for this
person's setup.
-Rob Polansky
----------------------------------
> Date: Wed, 26 May 1999 09:06:09 +0930
> From: Ben Nagy <[EMAIL PROTECTED]>
> Subject: RE: which ports to allow PDC login ?
>
> I think you may be in some trouble. MS NETLOGON and most versions of
NAT
> Don't Get Along (covered this month - thread "RE: "). And, as a few
people
> covered, most firewalls use some kind of NAT to separate the internal
and
> external networks... You have the ports right though. 137-139, and
NETLOGON
> is tcp (can't remember the exact port, off the top of my head).
>
[snip]
>
> I really think you'd be better of re-working your architecture so that
> people didn't log in from the outside of the firewall to the inside.
Apart
> from the technical problems in making it work, you'll have a raft of
> security issues due to the traffic you'll have to allow through the
> firewall. Maybe you can use a VPN type connection?
>
> Cheers,
>
> - --
> Ben Nagy
> Network Consultant, CPM&S Group of Companies
> Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
> -----Original Message-----
> From: Tally [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 26, 1999 5:29 AM
> To: [EMAIL PROTECTED]
> Subject: which ports to allow PDC login ?
>
> **********************************************************
> To allow a firewall logins by member NT servers into
> the PDC on the other side of the firewall, is it
> sufficient to allow only NetBIOS service ports ? are
> there any other ports that need to be opened up to
> allow the logins of member NT servers into the NT
> PDC ?
>
> NT member ------FIREWALL ------ PDC
> server
[snip]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
