Firewall guys are somewhat unclear regarding the relationship of "ports" and their implication in a security context.
Often the easiest way to get around these guys is to use IPsec between the DMZ host and any other host on the intranet. Then you only need to allow UDP port 500. That makes the firewall guy happy and allows all protocols through the IPsec tunnel. From: Brian Desmond [mailto:[email protected]] Sent: Thursday, January 06, 2011 8:33 AM To: NT System Admin Issues Subject: RE: AD and firewall ports IIRC that KB that describes restricting DCOM ports actually explicitly recommends 100… Thanks, Brian Desmond [email protected]<mailto:[email protected]> c – 312.731.3132 From: joseph palmieri [mailto:[email protected]] Sent: Wednesday, January 05, 2011 6:54 PM To: NT System Admin Issues Subject: AD and firewall ports Need assistance with firewall ports and active directory our server admin submitted a change request to open over 1000 port to support AD. The change was denied and resubmitted requesting a minimum of 100 ports to support RPC communications to a member server within our DMZ. Our firewall engineers stated while monitoring the firewall only 20 ports were communicated over and 100 ports are not needed. Has anyone had experience with this issue and can provide some clarity…are the server admin looking for an easy way out by requesting all these ports? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
