Announcement

Collapse
No announcement yet.

Joining a domain through a firewall

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Joining a domain through a firewall

    I have a member server in a DMZ that I need to join to the domain. The DC is behind a firewall. I have opened the ports below.

    135/TCP RPC
    389/TCP/UDP LDAP
    636/TCP LDAP SSL
    3268/TCP LDAP GC
    3269/TCP LDAP GC SSL
    53/TCP/UDP DNS
    88/TCP/UDP Kerberos
    445/TCP SMB

    I also need to open a port for the RPC over 1024 and force the server to use a specific port.

    My question is where on the member server do I force that specific port. I have seen a few registry keys listed and I'm confused as to which one it is.

    And then on the domain controller do I create the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NTDS\Parameters\TCP/IP Port with the same port value?


    Thanks

  • #2
    Re: Joining a domain through a firewall

    I'm going to ask an awkward question -- why does the DMZ server need to be in the domain (alternatively, why does it need to be in the DMZ)?

    With all those ports open, your firewall is about as solid as swiss cheese!
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Joining a domain through a firewall

      Yes I know it sucks but its the way it has to be for right now

      Comment


      • #4
        Re: Joining a domain through a firewall

        It is considered a security risk to have a Domain computer in a DMZ. It defeats the object of a DMZ.

        Are you able to explain the services that the member server has or will have and who will be connecting? We can advise from there.

        Comment


        • #5
          Re: Joining a domain through a firewall

          I don't want to have the security conversation about joining a server in a DMZ to the domain. I want to have the conversation about how to limit the RPC port so I can get it on the domain. I cant change the setup right now. It has to be this way and the server has to be on the domain.

          Comment


          • #6
            Re: Joining a domain through a firewall

            http://www.isaserver.org/articles/20...terdomain.html
            Specifically:
            We want to limit the ports required for RPC to a single port. This allows us to know in advance what port to use and configure on the firewall. Otherwise, we would need to allow all high ports from the DMZ to the Internal network. We can do this by making a Registry change on each domain controller. The Registry Key is:

            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NTDS\Parameters\

            Note:
            We actually do not need to do this, as the ISA firewall’s RPC filter can dynamically control port access. The RPC filter listens to the RPC negotiations and then dynamically opens the required high port. However, I prefer to set the port manually as it makes it a bit easier to analyze the logs and track the RPC communications moving between the DMZ segment and the Internal network. If the administrative overhead of setting a specific high port for RPC communications is too high, then you can take advantage of the RPC filter and not worry about it. This is what I mean by the ISA firewall doesn’t "open ports" – the ISA firewall actually understands the protocols required.

            You need to add a DWORD value named TCP/IP Port and set the value to the port you want to use. You’ll need to carry out this procedure on each of the domain controllers in your domain.

            Perform the following steps on each of the domain controllers in your domain to change the RPC replication port to 50000:

            0.Click Start and click Run. In the Open text box enter Regedit and click OK.
            0.Go to the following Registry key:
            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\NTDS\Parameters\

            0.Click the Edit menu and point to New. Click DWORD Value.
            0.Rename the entry from New Value #1 to TCP/IP Port, then double click the entry.
            0.In the Edit DWORD Value dialog box, select the Decimal option. Enter 50000 in the Value data text box. Click OK.
            0.Restart the domain controller.
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Joining a domain through a firewall

              Thanks I think I just read something that helps me out. If i understand it correctly You set that NTDS TCP/IP value on the domain controller and then the member server uses port 135 to ask the domain controller which RCP port to contact it on and it uses that newly set value. So there is nothing on the member server that needs to be set.

              Comment


              • #8
                Re: Joining a domain through a firewall

                Let's hope that you don't care about your domain. Yikes!
                GoogleFu is strong with this one ^

                Comment

                Working...
                X