Bad boy Warrior Posted December 8, 2005 Posted December 8, 2005 GuysI have a domain using the windows firewall (2003 SP1) as soon as i turn on the forewall everything is slow and users cannot login correctly until i disable the FW so what ports require to be open for all this to bypass?Thx
cluberti Posted December 8, 2005 Posted December 8, 2005 http://support.microsoft.com/default.aspx?...kb;en-us;555381Google is your friend
Bad boy Warrior Posted December 9, 2005 Author Posted December 9, 2005 Thanks i did check google but damm i didnt find that page. I did what it said on the given link but i have problems when a user logs on. The jpeg should explain (hopefully) my settings and where ive went wrong - anyone know why or what setting i need to adjust? Also what is localsubset? how can i find out my locall subset? i think its 255.255.255.0......Thx
cluberti Posted December 9, 2005 Posted December 9, 2005 You don't have the RPC or SMB ports open either, although the SMB ports aren't as needed as the RPC and DS ports (135, 136, 137, 445).You may want to look at KB articles 224196 and 319553 as well.
Bad boy Warrior Posted December 10, 2005 Author Posted December 10, 2005 Thanks. Ive added ports 135, 136, 137 and 445 for both UDP and TCP. I forgot to mention that i already had checked those two articles and have created the registry keys. I still have the same problem where the users cant logon so ill tell you what i have setup incase it needs addidtional ports opened:When a user logs on their profile is copied from the server onto their local drive which is mapped automatically.The start menu is copied from the server too so only the items we have applied are shown.I cant ping the server which i guess is due to the port being closed (if thats of any use).Anything else i can try?Thx again
cluberti Posted December 11, 2005 Posted December 11, 2005 (edited) Well, I hate to keep throwing this at you piecemeal, but you also have to take into consideration that clients use RPC to do most network connections to a server - the initial connection is always made on the endpoint mapper port (135), but that port is only used as a control channel to set up the actual transfer channel on a dynamically assigned port above 1024 on both the client and server. You'll have to force this to use a specific range of TCP ports on both the clients and servers, and you'll have to allow this range in through the firewall at the server end.If you really need a firewall on your DC's, you'll probably have to use network monitoring and watch ports on the server to see exactly what is being opened by your clients. My best suggestion, though, is to firewall external to your servers, and leave the Windows firewall disabled on your DC's (at least). Active directory is a chatty SOB, and it requires LOTS and LOTS of ports open. I seem to remember an article about limiting RPC port ranges on Exchange servers, but it should work for plain jane Windows servers as well if you do really need the firewall enabled on your DC's. Edited December 11, 2005 by cluberti
Bad boy Warrior Posted December 17, 2005 Author Posted December 17, 2005 Ok i gave it a go over this week and a bit to see if i could resolve this darn issue and still no luck. Is there something you can direct me to read on about knowing what ports i need open? I tried a few tools but none of them worked. Any help in identifying what ports i need open or a program to help me or even an article to read to get the understanding of this would be helpful..Thx
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now