Re: RPC ports over a firewall

From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
Date: Tue, 11 Oct 2005 07:52:08 +0100

> 1) Does the RPC need to be restricted to a static port on ServerB as well
> as
setting a dynamic range? -OR- should it be one or the other?

Generally, you restrict RPC to a small number of ports.

> 2) Does a "one-way incoming forest trust" employ replication between the
> two
GC's? ie - do I need to configure the static port for AD replication

No. There is no replication whatsoever between external, trusted forests/
domains.

> 3) Can RPC port configurations be restricted to a specific IP connection?

Not via the registry configuration, but yes, certainly through a firewall.

> 4) Does any server (DC) that will need to contact ServerB need to have
> it's
RPC ports configured to the same values?

Not necessarily. Although this is going to depend on the application. Your
best off asking the developers. If permissions are needed, then you're
going to need to be able to contact DCs. If it's just the app that needs to
make remote connections then limited RPC across the firewall seems like the
way to go.

> . TCP 445 Microsoft DS traffic
.. UDP 445 Microsoft DS traffic
.. TCP 88 Kerberos Authentication
.. UDP 88 Kerberos Authentication
.. TCP 380 LDAP
.. UDP 389 LDAP Ping
.. TCP 53 DNS
.. UDP 53 DNS
.. TCP 135 RPC Endpointmapper
.. UDP 135 RPC Endpointmapper

If you're talking about replication, logon, etc. traffic then 3268 is
needed, and LDAP is 389 not 380. However you have to really think about
this - simply opening these ports for external domain communication is not
going to be the best way of doing this. In fact, why do you need to open
these ports at all?

If you have an external company accessing resources in your domain you
should have a segmented DMZ that they access, with very tight rules between
any internal live systems and this segment.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

.

Prev by Date: Re: lsass-Security Accounts Manager initialization failure
Next by Date: Re: Lone domain controller with no machine account
Previous by thread: Re: lsass-Security Accounts Manager initialization failure
Next by thread: Re: OID Registration
Index(es):
- Date
- Thread

Relevant Pages

Re: Win32 The RPC server is unavailable
... WMI errors the seem to be RPC related. ... Usually RPC errors are due to name resolution or blocked ports. ... Microsoft MVP - Directory Services ... Instead of the website you're using, I suggest to use OEx (Outlook Express ...
(microsoft.public.windows.server.networking)
Re: dcpromo failed
... way to lock rpc down to specific ports and keep high ports turned off. ... MVP - Directory Services ... I disjoined the server from the domain. ...
(microsoft.public.windows.server.active_directory)
Re: Windows Ports when used on DMZ
... When I was doing testing, the absolute minimum was - RPC with 1 static port, ... DNS (UDP only is sufficient if no long response is expected), ... > than likely your problem is with dynamic RPC in that you are finding ports ... > 1025-1030 being dropped by your firewall. ...
(microsoft.public.security)
Re: Help Understanding LDAP Variants
... range of extended ip ports available for RPC communications. ... These extended ports are very hard to control. ... NTFrs replication can be limited to a fixed port using registry keys, ... used by domain controllers work on fixed ports. ...
(microsoft.public.windows.server.active_directory)
Re: RCP/HTTPS on SBS 2003 Server
... Certianly not needed for RPC over HTTP. ... Did you open the correct ports on your server's router as well? ... So we know all the server components are installed> correctly. ...
(microsoft.public.windows.server.sbs)