nbp0204 Posted August 15, 2006 Posted August 15, 2006 As title, I am currently use Win server 2003 as my domain DC. I want to open the windows embeded firewall, however, I don't know which ports I must open. If I don't open any ports additionally, computers in my domain cannot login. Does anyone know which ports I must open?
Mr Snrub Posted August 15, 2006 Posted August 15, 2006 It is strongly recommended that you do NOT use a host firewall on a Domain Controller - leave that job to perimeter firewalls.The list of ports for various types of traffic is quite extensive and varies depending on which roles the server has - also Remote Procedure Call design means the dynamic port range requirement punches a massive hole in the list of ports to let replication (amongst other things) work.If you are hell-bent on trying to run the Windows Firewall service on a DC then here are some KBs you should look at:"Service overview and network port requirements for the Windows Server system"http://support.microsoft.com/?id=832017"Restricting Active Directory replication traffic to a specific port"http://support.microsoft.com/?id=224196"How to restrict FRS replication traffic to a specific static port"http://support.microsoft.com/?id=319553"How to troubleshoot RPC Endpoint Mapper errors"http://support.microsoft.com/?id=839880Again, it's really not recommended to even put a firewall between DCs if possible, and certainly not using the host firewall service.
nitroshift Posted August 15, 2006 Posted August 15, 2006 (edited) It is strongly recommended that you do NOT use a host firewall on a Domain Controller - leave that job to perimeter firewalls.Hehe, tell me about it! I was running a software firewall on my server at work (AD server, DNS server, DHCP server, File server, Print server), lots of things didn't work. Eventually managed to get a Pentium 2 pc and shoved it between the server and the DSL modem to act as a firewall. Took a bit of time to convince the boss though... Edited August 15, 2006 by nitroshift
jftuga Posted August 18, 2006 Posted August 18, 2006 Mr Snrub, nice post! Very informative. Have you ever attempted this?-John
Mr Snrub Posted August 18, 2006 Posted August 18, 2006 Mr Snrub, nice post! Very informative. Have you ever attempted this?Nope, I've only helped people clean up the mess after they have tried it, and answered these kinds of advisory cases before.Firewalls (perimeter as well has host) can cause a lot of issues that aren't immediately obvious, and only by taking simultaneous network traces at both ends can you see what data is getting dropped or munged - and sometimes it's not just packet filters but the "smart defense"modules which are inspecting the payloads of the packets and blocking them based on a rigid set of rules.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now