User Login and Authentication
A user network logon across a firewall uses the following:
· Microsoft-DS traffic (445/tcp, 445/udp)
· Kerberos authentication protocol (88/tcp, 88/udp)
· Lightweight Directory Access Protocol (LDAP) ping (389/udp)
· Domain Name System (DNS) (53/tcp, 53/udp)
Computer Login and Authentication
A computer logon to a domain controller uses the following:
· Microsoft-DS traffic (445/tcp, 445/udp)
· Kerberos authentication protocol (88/tcp, 88/udp)
· LDAP ping (389/udp)
· DNS (53/tcp, 53/udp)
Establishing an Explicit Trust Between Domains
When establishing a trust between domain controllers in different domains, the domain controllers communicate with each other by means of the following:
· Microsoft-DS traffic (445/tcp, 445/udp)
· LDAP (389/tcp) or 636/tcp if using Secure Sockets Layer (SSL))
· LDAP ping (389/udp)
· Kerberos authentication protocol (88/tcp, 88/udp)
· DNS (53/tcp, 53/udp)
Validating and Authenticating a Trust
Trust validation between two domain controllers in different domains uses the following:
· Microsoft-DS traffic (445/tcp, 445/udp)
· LDAP (389/tcp or 636/tcp if using SSL)
· LDAP ping (389/udp)
· Kerberos (88/tcp, 88/udp)
· DNS (53/tcp, 53/udp)
· Net Logon service
Because the Net Logon service cannot be locked down to a single RPC port, the RPC endpoint mapper (135/tcp and 135/udp) needs to be open, as does a small range of dynamic RPC ports for the mapper to use. For information about how to limit the range of dynamic RPC ports, see Appendix E.
Access File Resource
File access uses SMB over IP (445/tcp, 445/udp).
Perform a DNS Lookup
To perform a DNS lookup across a firewall ports 53/tcp and 53/udp must be open. DNS is used for name resolution and supports other services such as the domain controller locator.
Perform Active Directory Replication
The type of network traffic that is required for replication differs based on whether the replication is between domain controllers of one or more domains. Both types of replication require the following:
· Directory service RPC traffic (configurable directory service RPC port)
· LDAP (389/tcp or 636/tcp if using SSL)
· LDAP ping (389/udp)
· Kerberos (88/tcp, 88/udp)
· DNS (53/tcp, 53/udp)
· SMB over IP traffic (445/tcp, 445/udp)
Replication within a domain also requires File Replication service (FRS ) using a dynamic RPC port. Replication traffic and configuration is further described in “Domain Controller Replication Across a Firewall” later in this paper. For instructions for configuring a static directory service RPC port, see Appendix D. For the procedure to limit the range of dynamic RPC ports, see Appendix E.
Appendix D: Using a Static Port for Active Directory Replication
For each service that needs to communicate across a firewall there is a fixed port and protocol. Normally, the directory service and FRS use dynamically allocated ports that require a firewall to have a wide range of ports open. Although FRS cannot be restricted to a fixed port, the directory service can be restricted to communicate on a static port which can be set using the following registry entry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"TCP /IP Port "=dword:0000c000
Changing this registry key on a domain controller and rebooting it causes the directory service to use the TCP port named in the registry entry. In the case above, it is port 49152(hexadecimal 0000c000).
Appendix E: Limiting the Range of Dynamic RPC Ports
You can use the registry key to limit the range of the dynamic RPC ports assigned by a particular computer. This procedure can be used to limit services that normally do not have a fixed RPC port by allowing only their dynamic port to be assigned from a smaller well-known range.
It is recommended that the dynamic ports range start at or above 5000 and consist of at least 20 ports. If additional applications that use dynamic RPC are installed on a computer, increase this range. Rebooting is necessary for the registry change to take effect.
To limit the range of dynamic RPC ports, set the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]
"Ports"=REG _MULTI_SZ:5000-5020
The above registry key example shows adding a “Ports” value of type Multi-String and setting it to “5000-5020”. The value is added under the Internet key, which is added to the default RPC key. For more information about this procedure, see article 154596, "Configure RPC Dynamic Port Allocation to Work with Firewall,” in the Microsoft Knowledge Base, at http://go.microsoft.com/fwlink/?LinkId=16462.
更改登入檔有些許出入
需考慮、比較Server 2008 AD DS相容性
參考原廠文獻
如需設定防火牆以與 AD DS 一起使用的相關資訊,請參閱<由防火牆分隔之網路中的 Active Directory>(http://go.microsoft.com/fwlink/?LinkId=37928)
How to configure Windows Server 2003 SP1 firewall for a Domain Controller
更改登入檔有些許出入
需考慮、比較Server 2008 AD DS相容性
參考原廠文獻
如需設定防火牆以與 AD DS 一起使用的相關資訊,請參閱<由防火牆分隔之網路中的 Active Directory>(http://go.microsoft.com/fwlink/?LinkId=37928)
How to configure Windows Server 2003 SP1 firewall for a Domain Controller
沒有留言:
張貼留言