I want to understand which firewall port need to be opened if the computer will join and log on Domain. I use Microsoft Forefront Threat Management Gateway 2010 as firewall and assign two network segment for creating DC(VBHV-DC-01 in LAN3) and Workstation(VBHV-FS-01 in LAN4) role. And the network rules is route mode from LAN4 to LAN3.
To create a new Access Rule from LAN4 to LAN3 and open the following protocols:
Microsoft CIFS/SMB: 445/TCP
Kerberos-Sec: 88/TCP, 88/UDP
DNS: 53/TCP, 53/UDP
LDAP: 389/TCP, 389/UDP
NetBIOS Datagram: 138/UDP
NetBIOS Name Service: 137/UDP
NetBIOS Session: 139/TCP
NTP: 123/UDP
RPC Endpoint Mapper(Custom): 135/TCP
ADLogon/DirRep(Custom): 50000/TCP
RPC Netlog(Custom): 50001/TCP
For limiting the special port for RPC to a single port(50000/TCP), we need to add a registry on each domain controller.
In “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\" registry key to new a DWORD (32-bit) Value
Rename the entry from “New Value #1” to “TCP/IP Port”
Double-Click this entry and select “Decimal” option –> enter “50000” in Value data field –> click “OK” button
After finish the above correct, please reboot DC so that the registry function will enable.
To force RPC port for client RPC traffic to a specific port, I need to do the same activity in “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ ”
To new a DWORD (32-bit) Value type “REG_DWORD”, rename the entry from “New Value #1” to “DCTcpipPort” and name a Registry value “50001” next to reboot it
Now,I try to join Domain “dw.com” and the result is successful.
The computer can log on Domain “VBHV-DC-01”.
By TCPView Utility, you will see there is no any port limited now.
To create a new Access Rule from LAN4 to LAN3 and open the following protocols:Microsoft CIFS/SMB: 445/TCP
Kerberos-Sec: 88/TCP, 88/UDP
DNS: 53/TCP, 53/UDP
LDAP: 389/TCP, 389/UDP
NetBIOS Datagram: 138/UDP
NetBIOS Name Service: 137/UDP
NetBIOS Session: 139/TCP
NTP: 123/UDP
RPC Endpoint Mapper(Custom): 135/TCP
ADLogon/DirRep(Custom): 50000/TCP
RPC Netlog(Custom): 50001/TCP
For limiting the special port for RPC to a single port(50000/TCP), we need to add a registry on each domain controller.In “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\" registry key to new a DWORD (32-bit) Value
Rename the entry from “New Value #1” to “TCP/IP Port”
Double-Click this entry and select “Decimal” option –> enter “50000” in Value data field –> click “OK” button
After finish the above correct, please reboot DC so that the registry function will enable.
To force RPC port for client RPC traffic to a specific port, I need to do the same activity in “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ ”To new a DWORD (32-bit) Value type “REG_DWORD”, rename the entry from “New Value #1” to “DCTcpipPort” and name a Registry value “50001” next to reboot it
Now,I try to join Domain “dw.com” and the result is successful.
The computer can log on Domain “VBHV-DC-01”.
By TCPView Utility, you will see there is no any port limited now.
沒有留言:
張貼留言