Ed, something is getting blocked. run netstat on both machines to see if the proper ports are connecting. Also use the netdiag and dcdiag tools.
Here are some details below with regards to ports and security that may help: configure the firewall to allow your dmz host (only) to connect to the following services on your internal network (only, or as your testing requires): Key/*********************************** * ADController = DC with Active directory * DDNSSERVER = Internal DNS server hosting your AD domain (could also be the ADcontroller) * DMZhost = Your 2000 server on the DMZ ****************************************** DMZhost -> ADController (allow and log) tcp >1023 -> tcp 389 (ldap) tcp >1023 -> tcp 445 (MS-ds) tcp >1023 -> tcp 3268 (GC) tcp >1023 -> tcp 88 (Kerb) tcp >1023 -> tcp 464 (Kerb-pass) udp >1023 -> udp 88 (Kerb) udp >1023 -> udp 464 (Kerb-pass) DMZhost -> DDNSSERVER (allow and log) udp >1023 -> udp 53 (dns) There are some serious security concerns associated with this config that you should be aware of before going to production - allowing internet traffic to get to the DMZ. In short, if your DMZhost is compromised then you're pretty much hosed. To mitigate these risks: Harden the DMZ host (removing unnecessary services etc. per documentation at Technet and other sites like securtyfocus.com), install a host based firewall/IDS and antivirus (and make sure all rules, signatures, etc are up2date) ,and put in in a private vlan. Also, look at file system integrity hashing methods like trip-wire, PGP, or others - even Windows FSE. You may also wish to research the .NET platform/vision and "Web Services" to see how SOAP and other protocols will alter all of the above. If i missed anything, others please chime in. cheers.byron -----Original Message----- From: Ed Esgro [mailto:[EMAIL PROTECTED]] Sent: Friday, November 16, 2001 7:07 AM To: NT 2000 Discussions Subject: Can't login from DMZ Hello all. Hope someone can shed some light. I have an AD domain. I have a 2K Server on a DMZ. The server can resolve both ip and FQDN of the DC on the secured network from the DMZ. However it can not login to the Domain. The server just hangs. If I put the server on the internal network, it connects fine. What could I be missing that may be restricting the access? All ports and protocols are allowed. ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
