Jeff Huston

To access Active Directory across a firewall, the following table lists the required ports that must be open from the client system to the domain controller.

Port Number	TCP or UDP	Purpose	Required for Trust	Required for Authentication	Required for Domain Member	Required for DC to DC within a domain
42	TCP	WINS Replication				X
53	TCP & UDP	DNS	X	X	X	X
88	TCP & UDP	Kerberos	X	X	X	X
123	TCP & UDP	Time Service (NTP)	X	X	X	X
135	TCP	RPC Endpoint Mapper	X	X	X	X
137	UDP	NetBIOS Name			X	X
138	UDP	NetBIOS NetLogon and Browsing	X	X	X	X
139	TCP	NetBIOS Session	X	X	X	X
389	TCP & UDP	LDAP	X	X	X	X
445	TCP	SMB / CIFS			X	X
464	TCP	Kerberos Password Change Protocol (kpasswd)			X	X
636	TCP	LDAP-SSL	X	X	X	X
749	TCP & UDP	Kerberos ADM	X	X	X	X
750	TCP	Kerberos IV	X	X	X	X
3268	TCP	LDAP Global Catalog	X	X	X	X
3269	TCP	LDAP-SSL Global Catalog	X	X	X	X
RPC-D	TCP	DFS Replication (Windows 2008 and on)				X
RPC-C	TCP	File Replication Services				X
RPC-B	TCP	Directory Services	X			X
RPC-A	TCP	LSA / NetLogon	X	X	X	X
ICMP	–	Server Ping	X	X	X	X

Registry keys that must be set on domain controllers to lock down RPC ports:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters\RPC TCP/IP Port Assignment (REG_DWORD): RPC-C
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serviecs\NTDS\Parameters\TCP/IP Port (REG_DWORD): RPC-B
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serviecs\NetLogon\Parameters\DCTcpipPort (REG_DWORD): RPC-A

In order to set the DFS replication port, use the DFSDIAG tool installed on the OS and configure using the StaticRPC option using port RPC-D.

See:

http://support.microsoft.com/kb/179442 – How to configure a firewall for Domains and Trusts
http://support.microsoft.com/kb/319553 – How to restrict FRS replication traffic to a specific static port
http://support.microsoft.com/kb/224196 – Restricting Active Directory traffic and client RPC traffic to a specific port

Active Directory across a Firewall

Post a Comment

« Home

About This Post

Categories

Tags

Interact

RSS Feeds

Search