[ previous ] [ next ] [ threads ]
 
 From:  "Jared Patterson \(DSL AK\)" <JaredP at datacom dot co dot nz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Having a domain member running in a DMZ
 Date:  Mon, 27 Jun 2005 09:18:45 +1200
Hi All,

 

Im running a web server in a DMZ zone which is a domain member server.
What im trying to find out is exactly what ports to Nat through to the
Lan subnet so that it can login and use Active Directory etc properly.
These are the ports I have nated through;

 

Service

Port/protocol

RPC endpoint mapper

135/tcp, 135/udp

RPC static port for Active Directory replication

See Appendix D

Kerberos

88/tcp, 88/udp

LDAP

389/tcp

LDAP over SSL

636/tcp

Global Catalog LDAP

3268/tcp

Global Catalog LDAP over SSL

3269/tcp

SMB over IP (Microsoft-DS)

445/tcp, 445/udp

DNS

53/tcp, 53/udp

Network Time Protocol (NTP)

123/udp

Other non-AD network ports used:

 

NetBIOS name service

137/tcp, 137/udp

NetBIOS datagram service

138/udp

NetBIOS session service

139/tcp

 

The following table describes other non-AD network ports that are used.

Service

Port/protocol

NetBIOS name service

137/tcp, 137/udp

NetBIOS datagram service

138/udp

NetBIOS session service

139/tcp

 

Plus on the Web server in the DMZ, I have locked Dynamic RPC ports to
100 designated between 5020-5120. I have also enabled RDP on 3500 and
allowed this through. 

 

I know that when I try to login through terminal services, it reports
the error - The specified domain does not exist after I put in my login
details.

 

Does anyone know the correct configuration for this setup??

 

Cheers

 

Jared