Servers in two Vlans
Windows Server Forum Index Windows Server
Server discussion on Windows platform.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web winserverhelp.com
Servers in two Vlans

 
Post new topic   Reply to topic    Windows Server Forum Index -> Security
Author Message
Guest
Posted: Wed Oct 26, 2005 4:51 pm    Post subject: Servers in two Vlans Reply with quote
Question #1
I have a domain forest in my current WAN. I have been asked to tighen
up security but implementing ACL's between VLAN's. My problem is this.
I have say office A on VlanA with the main controller and office B on
VlanB with a child controller. What ports am i going to have to open
up between those vlans so the two servers can talk to each other and
keep active directory happy.

Question #2
Would I need to open the same ports say if a workstation was on a
different Vlan then the server it authenticates with. Not sure this
would happen but just wanted to know in the event I run into that.

I have all offices connected via Point to Point T1, switches are all
Cisco 3550's and all servers are compaq DL series of one flavor or
another.

the goal is to open only the ports needed to have the server talk to
each other and keep Active Directory working, allow clients to
authenticate and all that other sever functions and block everything
else
Back to top
S. Pidgorny
Guest
Posted: Thu Oct 27, 2005 12:50 pm    Post subject: Re: Servers in two Vlans Reply with quote
A good old Active Directory Replication Across Firewalls whitepaper
(http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/a
ctivedirectory/deploy/confeat/adrepfir.mspx) is a good start for the
information. Refer to the "Limited RPC" section for a reasonable port list
achieved with a minimal registry tweak. As an absolute minimum you can
disable NetBIOS (requires Windows 2000 and up or Samba 3 clients) and not
use SSL protocols or WINS, which results in the following list of protocols:

* RPC endpoint mapper - 135/tcp
* RPC static port for AD replication - <fixed-port-of your-choice>/tcp
* SMB over IP (Microsoft-DS) - 445/tcp
* LDAP - 389/tcp, 389/udp (the latter for LDAP ping)
* Global catalog LDAP - 3268/tcp
* Kerberos - 88/udp
* DNS 53/tcp, 53/udp

Plus, you need to be able to ping the DC from the workstation. Leaving ping
open is generally not a bad idea anyway.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

<chart@homesoc.com> wrote in message
news:1130338832.217307.167640@g43g2000cwa.googlegroups.com...
Quote:
Question #1
I have a domain forest in my current WAN. I have been asked to tighen
up security but implementing ACL's between VLAN's. My problem is this.
I have say office A on VlanA with the main controller and office B on
VlanB with a child controller. What ports am i going to have to open
up between those vlans so the two servers can talk to each other and
keep active directory happy.

Question #2
Would I need to open the same ports say if a workstation was on a
different Vlan then the server it authenticates with. Not sure this
would happen but just wanted to know in the event I run into that.

I have all offices connected via Point to Point T1, switches are all
Cisco 3550's and all servers are compaq DL series of one flavor or
another.

the goal is to open only the ports needed to have the server talk to
each other and keep Active Directory working, allow clients to
authenticate and all that other sever functions and block everything
else
Back to top
 
Post new topic   Reply to topic    Windows Server Forum Index -> Security All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




New Topics Powered by phpBB