Re: AD what tcp/ip port or registry settings?

By the way, the size of the ICMP (ping) packet is 2048. Figured this might
be worth mentioning as some firewall vendors (e.g. Checkpoint) object to
ICMP packets over a given size and/or you might have other devices setup to
drop ICMP.

I'm also assuming that the client workstations point to a DNS server that
contains the required SRV entries for the domain. (e.g. Clients and servers
point to the same DNS servers)

"neo [mvp outlook]" <neo@xxxxxxxxxxxxxxx> wrote in message
news:eBANBs1ZFHA.3572@xxxxxxxxxxxxxxxxxxxxxxx
> Is ICMP allowed across the firewall? (ICMP is needed in order to have
> GPOs be processed.)
>
> "MarcusB" <marcusb@xxxxxxxxx> wrote in message
> news:OInKwP1ZFHA.3096@xxxxxxxxxxxxxxxxxxxxxxx
>> We have our domains controlers behind the firewall. To be able to work we
>> opened a lot of ports. All are in the lists below. We changed also
>> registry to make RPC to one port.
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
>> "TCP/IP Port"=dword:0000c000
>>
>> OPENED PORTS ON THE FIREWALL seperating clients and servers. Server and
>> cliends are in the same building but seperated by firewall.
>>
>> Service Port/protocol
>> RPC endpoint mapper 135/tcp, 135/udp
>> NetBIOS name service 137/tcp, 137/udp
>> NetBIOS datagram service 138/udp
>> NetBIOS session service 139/tcp
>> RPC static port for AD replication 49152/tcp
>> SMB over IP (Microsoft-DS) 445/tcp, 445/udp
>> LDAP 389/tcp
>> LDAP over SSL 636/tcp
>> Global catalog LDAP 3268/tcp
>> Global catalog LDAP over SSL 3269/tcp
>> Kerberos 88/tcp, 88/udp
>> DNS 53/tcp, 53/udp
>> WINS resolution (if required) 1512/tcp, 1512/udp
>> WINS replication (if required) 42/tcp, 42/udp
>> Network time protocol (NTP) 123/udp
>>
>> Everything is working, but it take long time to log in. If I will go with
>> laptop directly behind the firewall it takes 2-5 seconds to log in. If we
>> are behind firewall it takes 30 seconds or longer.
>> How to solve problem??
>>
>>
>> MarcusB
>
>


.

Relevant Pages

  • Re: [fw-wiz] Isolating internal servers behind firewalls
    ... We have a cisco firewall services module that we us for our head ... So, for a given network, you can move ... There are general purpose file servers, AD domain controllers, SMS ... The firewall/security group argues that servers and clients should exist ...
    (Firewall-Wizards)
  • Re: Slow client logon
    ... "For Active Directory to function correctly through a firewall, ... Control Message Protocol (ICMP) protocol must be allowed through the ... firewall from the clients to the domain controllers so that the clients can ... >> adequate for the logon process. ...
    (microsoft.public.windows.server.active_directory)
  • Re: [fw-wiz] Isolating internal servers behind firewalls
    ... There are general purpose file servers, AD domain controllers, SMS ... The firewall/security group argues that servers and clients should exist ... Centralized administration of that network access ... firewall restrictions on which workstations can perform administration ...
    (Firewall-Wizards)
  • Re: AD what tcp/ip port or registry settings?
    ... Assuming that you applied the TCP/IP port value to all DC/GCs and rebooted ... I'm still swaying toward a hang-up on the member clients not being ... ICMP did not work over our Frame over ATM links. ... > on the both DC which are also behind the firewall. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Should have read : SBS2003 SP2 Network problems
    ... > Servers: SBS2003 and BES SERVER ... > one client tried to share a database but no other clients could access the ... > ping the servers. ... > says the applied policy objects are SMS windows firewall, client computer, ...
    (microsoft.public.windows.server.sbs)