On Wed, May 20, 2009 at 9:38 AM, KenM <[email protected]> wrote: > Your security guys will not like the answer but you will have to open all > ports above 1024. RPC uses a random port.
In theory, a firewall that's aware of RPC at the application layer could do it (if such things exist). You might also be able to tell the Microsoft services to only use specific ports (a lot of their stuff can do that via registry settings). The real problem, as I see it, is that I wouldn't recommend letting AD traffic cross a DMZ barrier in the first place. As I understand it, those protocols include a lot of functionality that can't be selectively controlled, so that's a real security exposure, which kind of defeats the point of having a DMZ in the first place. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
