Re: Unable to logon through FW despite ports are open

From: Ace Fekay [MVP] (PleaseSubstituteMyActualFirstName&LastNameHere_at_hotmail.com)
Date: 10/06/04 

Date: Wed, 6 Oct 2004 15:48:39 -0400

In news:utlcDl6qEHA.596@TK2MSFTNGP11.phx.gbl,
Jonte@bson.se <jonasberthelsson@hotmail.com> made a post then I commented
below
> I'm trying to logon to a MS AD 2003 interim mode through a firewall
> from an XP client. The XP client are coming from a different subnet
> and there for the DC (and DNS) are using NAT in the FireWall. I'm
> told the ports are open so that shouldn't be the problem.
> But when I ping the DNS server from the xp client the DNS server
> tries to answer with the inside subnet address, witch is quiet normal
> I think, because this is the only address the server knows about. But
> is it possible to configure the DNS server so it answer with the
> right subnet address depending on where from the source ping ? I
> think I'v heard about this in BIND version 9.x
> Or should the solution be an lmhosts-file or hosts-file ?
> If I use a NT4 workstation with a lmhosts file it works fine but that
> one are not using the DNS to logon. I'v tried with a lmhost-file on
> the xp client but without any good result.
>
> Please help me out !
>
> Sincerely
>
> \\Jonas B

Have you thought about using a VPN? Domain communication, for one, will NOT
work thru a NAT unless you use a VPN. NAT cannot traverse RPC or Kerberos
traffic. LDAP in regards to AD needs those two factors, so therefore that
cannot authenticate or communicate.

I don't know what ports you opened up, but if it is a true firewall (no
NAT), there are about a dozen+ ports that need to be opened, which causes
security issues. My suggestion is to use a VPN wth the NAT server as the
endpoint. 

-- 
Regards,
Ace
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
-- 
=================================

Relevant Pages

  • Re: SNAT
    ... ISA2K always performs NAT between LAT and> the rest of interfaces when works in firewall or integrated mode. ... Clear the default gateway property at the clients IP configuration thus> making them to not be a snat client. ... To grant internet access for those> computers you have to make them either firewall or webproxy client. ...
    (microsoft.public.isa)
  • Re: SNAT
    ... NATing could cause any problems with outbound/inbound internet access. ... Get rid of your external NAT box. ... Choose the upcoming ISA2K4 as your firewall solution. ... computers you have to make them either firewall or webproxy client. ...
    (microsoft.public.isa)
  • Re: userenv 1054 ratlos
    ... Please post an ipconfig /all from your DNS server and the ws. ... The DC for the network cant be found. ... message in the firewall logs, even if the client firewall is off, ... addition we found out that some ICMP packets of the client OUTGOING ...
    (microsoft.public.windows.server.general)
  • Re: Event 113 - Error 1168
    ... I am using NAT under RRAS. ... it turned out that my problem was not in the DNS server but ... >> workstations and the firewall was preventing the registration to ... > That XP firewall can do that. ...
    (microsoft.public.windows.server.dns)
  • Re: NAT Traversal
    ... I want to get the actual IP of a client behind NAT or a Firewall. ... As Stut says I'm not sure why you'd gain anything from doing this as you ...
    (php.general)
Loading