Re: Active directory Authentication ports

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Mitch,

You need to "turn the problem upside-down".

The problem with bandwidth is not caused by authentication. In fact authentication exchanges very small amount of data compared to, let's say http traffic.

If I were in your shoes and if I would have to split traffic, I would split http traffic and everything else. Further, I would split public http traffic from private.

The other traffic that might contribute to bandwidth is SMB and File Replication services, so these are candidates for separation.

If you want to know which ports are used for Active Directory services, go to your DNS and inspect SRV resource records.

But be aware that RPC protocol is used by all Microsoft's administrative tools. And RPC is dynamic protocol that opens various secondary ports.

Good luck.


"Mitch" <Mitch@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:A7717429-57F5-4F54-AD1E-2F0439B1A7FF@xxxxxxxxxxxxxxxx
Hi Phillip,
I should clarify what were trying to do. We just added an additional point
to point T1 between the office. We wanted to only route system traffic,
authentication (Active Directory), and email through the IP Sec tunnel. Data
and applications would go through the point to point T1. The addition of the
T1 was added to improve speed. A tech at cisco said I would need to know the
ports and protocol that authentication, mail, etc.. use to allow that traffic
to pass. All other traffic would be redirected to the Point to Point. Any
thoughts?

"Phillip Windell" wrote:

"Mitch" <Mitch@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7C8727D8-7F31-424A-A98F-BF94C62325C5@xxxxxxxxxxxxxxxx
> Hi,
> I am using windows 2003 server with active directory. We have 2 office
> connected by an IP Sec tunnel. What ports and protocol (TCP/UDP) is
> needed
> to authenticate to active directory when logging in through the IP Sec
> tunnel? Thanks.

That is only a drop in the bucket as to all the traffic your going to have
to allow over that VPN. You're almost wasting your time if you want to "get
picky" about the traffic running over the VPN.

The whole point of VPN is that it is already private and protected from the
"outside" to start with by virtual of the fact that the Tunnel exists. By
the time you allow everything you need to allow over it there will hardly be
anything left that is blocked, and certainly anything a "hacker" would want
is going to already have to be allowed,...so just let the thing flow freely
and forget it. The idea is to keep people who don't belong off the LAN to
start with.

This is a Site-to-Site VPN,..it is important to consider that distinction.
They can't get on the Site-to-site VPN if they aren't already on the LAN at
one end or the other already,...hence the reverse of that is if they are on
the VPN then they are already on the LAN first,...so you'd need to be
worrying about what they are doing on the LAN to start with,...the VPN
becomes meaningless at that point.

Anyway, the method of security is identical to what you would do if you had
two subnets on the same LAN sitting right in the same physical room
together. There is no difference. "VPN" is just nothing more than the "line
technology" between the two routers,...it has no effect on the security
methods.


More things to consider:

VPN is just a glorified "Slow WAN Link". Active Directory does not deal
well with slow links unless dealt with properly. Usually this means the
creation of an Active Directory Site Object and an Active Directory Subnet
Object (and that doesn't mean a LAN Subnet). Then you place a Domain
Controller (preferably two) at each Site. Then the normal behavor of AD
would be that the user would authenticate to the DC within their own "AD
Site" which corresponds to their physical location,...this means they do not
authenticate over the slow WAN link. Then the AD Sites config handles AD
Replication between the Sites using a schedual over the WAN Link so that it
can work well with the slower bandwidth.

The behavor of the AD Sites Config also means that if the WAN goes down (and
they always do) for a period of time that the two Sites will continue to
function and authentication will continue to function. Then when the WAN
link comes back up the Replication will happen on the next schedual and will
"catch up" everything.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------




.

Relevant Pages

  • Re: Active directory Authentication ports
    ... authentication, and email through the IP Sec tunnel. ... I am using windows 2003 server with active directory. ... picky" about the traffic running over the VPN. ... They can't get on the Site-to-site VPN if they aren't already on the LAN at ...
    (microsoft.public.windows.server.general)
  • Re: VPN3005 IPSEC Access Control
    ... to clients using the Cisco VPN Client on Windows and Mac OS X. ... This has been working very well but allows all staff to use VPN. ... we need to use Active Directory for authentication but need to limit ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] Secure access to LAN resources (WAS: terminal services)
    ... > encrypted tunnel. ... VPN devices are designed to do strong authentication. ... It's always a trade-off between risk and protection. ...
    (Firewall-Wizards)
  • Re: Can Authentication be Done w/out VPN?
    ... I have only played with a Cisco PIX and some heavy authentication (TACACS+, ... SecurID) with a VPN. ... If you are authenticating the remote users you could take the next logical ... small Ethernet LAN to IDSL router ...
    (comp.security.firewalls)
  • Re: VPN3005 IPSEC Access Control
    ... Individual users are authenticated via Active Directory and an internal ... This has been working very well but allows all staff to use VPN. ... we need to use Active Directory for authentication but need to limit ... Use self signed certificate authentication for connecting. ...
    (comp.dcom.sys.cisco)