• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1008
  • Last Modified:

Which ports to open on firewall for WinXP Pro to join domain

Hello,
I am trying to figure out which ports need to be opened on our firewall in order for a remote site to add their Windows XP Pro machines to the Windows Server 2003 domain.  I have port 445 TCP open for MS-DS, and then I have read that port 389/UDP for LDAP ping, 88/TCP&UDP Kerberos authentication, and MS-DS 445/UDP needs to be open also, is this correct?  Are there any other ports that I am missing?  I am assigning max points to this as I need the information right away.
Thanks in advance,

0
kiedas28
Asked:
kiedas28
  • 10
  • 9
  • 5
  • +4
3 Solutions
 
Irwin SantosComputer Integration SpecialistCommented:
here is a place that can help you out.

http://www.portforward.com

Locate your router, then review the settings...
0
 
Irwin SantosComputer Integration SpecialistCommented:
Here is the list of common port settings
http://www.portforward.com/cports.htm
0
 
kiedas28Author Commented:
I don't have access to the router that is done by our networking group.  Which is why I am asking the question, I don't have access to analyze the traffic either.  I am submitting a form with the port numbers I need open and the network I need it opened to and that is the extent of my control over it.  One reason why I am looking for a more specific list to what I need opened.  
Thank you for your quick response.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Irwin SantosComputer Integration SpecialistCommented:
Probably the best is to go through the 2nd link and note what you have running in your system that you want access, then jot down the ports required. Submit to the network group.
0
 
mikebernhardtCommented:
You also need TCP ports 137 and 139.
0
 
michael_heringCommented:
Hi Kiedas28,

You have mentioned that you are looking for the ports that you need to open up in your firewall to allow a remote site to add workstations to your Windows domain. Maybe it would be more helpful to know the structure of the setup of this remote site? Does a VPN exist between the two sites? Is the remote site setup with any type of server infrastructure locally, or are there only a few workstations at this remote site trying to send data to your main campus? Thanks.
0
 
prashsaxCommented:
Windows Uses these ports:

epmap             135/tcp    loc-srv                #DCE endpoint resolution
epmap             135/udp    loc-srv               #DCE endpoint resolution
netbios-ns        137/tcp    nbname              #NETBIOS Name Service
netbios-ns        137/udp    nbname             #NETBIOS Name Service
netbios-dgm       138/udp    nbdatagram     #NETBIOS Datagram Service
netbios-ssn       139/tcp    nbsession           #NETBIOS Session Service
dns                  53/udp     DNS                   #DNS Resolution

If you are using WINS then:
wins             1512/tcp                           #Microsoft Windows Internet Name Service

Not sure about LDAP port TCP/389.
I think this should enable you do join a machine to domain.



0
 
kiedas28Author Commented:
This sounds horrible but I am not a 100% sure of the setup at the remote site.  And the main office well it went like this, edge device installed, firewall rules applied and bam this is your assigned agency now fix what is wrong.  So now I am trying to pick up the pieces and figure out their setup all the while trying to get the stuff working that needs to be working with little or no help from our telecom or firewall group or even the person assigned to the agency before I was.
Setup is Win2k3 server (DC) at main office, edge device installed here (gateway) VPN to larger campus network where firewall rules are applied. And I believe the rules are applied by groups as this is a large campus.  Remote office subnetted off the main office network, no VPN device here, I believe 3-4 machines here XP Pro machines that only one of them is currently setup and operating.  I need to get that one on the domain.  Initially before the edge device was installed I could get the machine to browse to the DC in the main office never tried to get it on the domain though.  Hope that helps.
0
 
Irwin SantosComputer Integration SpecialistCommented:
"This sounds horrible but I am not a 100% sure of the setup at the remote site.  And the main office well it went like this, edge device installed, firewall rules applied and bam this is your assigned agency now fix what is wrong."

Did they bend you over first when they said that? :-(

Anyone at another branch you can get help with? (preferably one that has a similar configuration as you)
0
 
kiedas28Author Commented:
Nope but they did say it with a smile. ;o} Should be used to it by now in this field as it seems to be the norm.
Sadly no, the campus as a whole is just now starting to implement the edge devices and then applying their firewall rules.

I did read somewhere about the ports 135, 137-139 having to be open.  I will add those to my list.  I cannot submit the form until tomorrow (seems the firewall guy went home early) so I appreciate all of your responses and if anyone else sees anything that was missed or that I missed please post.  I will award points tomorrow.
Thank you again.
0
 
michael_heringCommented:
Kiedas28,

OK, what I'm hearing is this:

- You are located at a remote campus with 3-4 workstations that need to be added to a domain that exists at a remote campus.

- You have an edge device, which implies to me that this is a WatchGuard branded Edge device, located at your remote site pointing back to the main campus via a VPN.

Is this correct? Please be specific as to the brand of Edge device you are talking about.

Maybe someone can correct me if I'm wrong, but my impression is that if you have a VPN connection back to your main campus linked between these two Edge devices then you shouldn't have to open up ports between the two NODs. Since the connetion exists in an encrypted tunnel this would add a level of security that may not be necessary.
0
 
michael_heringCommented:
Kiedas28,

I'm sorry, my first bullet point should have ended with "that exists at a main campus."
0
 
Irwin SantosComputer Integration SpecialistCommented:
here add these to your list...most common (if not done already).

If you are running a webserver
http 80  
https 443

FTP server
ftp 21

Exhange or native POP3 & SMTP services
smtp 25
pop3 110

Remote Desktop....
RDP 3389
0
 
carl_legereCommented:
Ok opening 135-137 is suicide these days.  You cant just open ports to your windows computer leaving them ready for attack.  It will happen in minutes, I've seen it.

Something is wrong with the big picture if you have to open ports to connect xp to a domain.
0
 
Rob WilliamsCommented:
The ports that are required to be open so that you can join a domain would make you so vulnerable to attack that it is not worth it. That would be an extremely risky move. The only way to consider doing this securely would be to set up a VPN, which in turn makes all ports open and available. There may be restrictions in doing so if you do not have access to the perimeter devices/firewalls, but one option is to use a free VPN utility called Hamachi. Hamachi is a very small utility that has to be installed on the local and remote systems. It then, through a third party, does a little initial hand shaking to establish the connection, but there is no port forwarding or configuration required on any router, as both connections are treated as out going. This might be a solution to your problem if you are not able to make use of an existing VPN or establish a formal VPN connection.
http://www.hamachi.cc 
0
 
Rob WilliamsCommented:
Hi Carl, you got the jump on me concerning the risks :-)
--Rob
0
 
carl_legereCommented:
My partner and I just recently reminisced:
Remember when you could put your exchange server directly on the net, and wherever you were, outlook would magically work.  Now you need to build a VPN or that dreaded RPC via HTTPS
0
 
Rob WilliamsCommented:
Times they are a changing.  Remember when we didn't have to lock our doors either, or maybe you're not as old as I.  :-)  
0
 
Irwin SantosComputer Integration SpecialistCommented:
...or when the Shack, Apple, and Pet were household names?  Hey flashback for all you guys.
http://www.ctrlaltdel-usa.net/yabb_2_1_superman/YaBB.pl?num=1141546540
0
 
Rob WilliamsCommented:
Modems, games, Pet's ???? I think I'm older than you guys. How about main frames and punch cards. Security was locking the door when you left. :-)
0
 
kiedas28Author Commented:
Sorry was away for awhile...

Picture is more like - whole campus network managed centrally for the whole state (network wise), the agency main office on the local campus connects to the main campus via edge device on I believe a dsl line, the remote office in the northern part of the state doesn't use an edge device is is on the same network just a different subnet of that network.  Technically (at least to me) since it is supposed to be on the same network, although subnetted, it should not need ports open but it does.  I don't really know what the connectivity is for the remote office as I am not at the remote office I am on the main (as a whole) campus and just assigned to support this agency. I know that we can open those ports 135, 137-139 just to a certain network for inbound doesn't that reduce the risks associated with those ports being opened.  

I remember when we didn't have to lock our doors and I am not that old at least I don't think I am.  
Thanks again for all your responses.  
0
 
Irwin SantosComputer Integration SpecialistCommented:
@kiedas28...I would just offer up all the ports that are listed here....at least they are open for you to access.  Should they NOT be the ones you need, it would be easier for them to delete a configuration versus adding it back on.  Since mindreading apparently is not your main function, this will surely help you out.

@Robwill...Star Trek with 950 IBM punch cards?  12in floppy? CPM?  Z80?  6502?  I'm trying to think what my earliest earliest computer experience was.
0
 
Rob WilliamsCommented:
My vote:
53 DNS
88 Kerberos
123 NTP (may not be necessary)
135 RPC
137-139 NetBIOS
389 LDAP
445 SMB
1512 WINS if in use
0
 
Rob WilliamsCommented:
Now we are talk'n Irwin, though I don't remember 12" floppies, I remember 8", then of course there were tapes on reels. One of those 12" reels would probably fit on a memory stick today.  My first course was about 1971 in FORTRAN as I recall. I haven't been in the trade all those years but started with that, then to APL and Algol and first "PC" was Timex/Sinclair kit with a ZX81 ??  processor, I think. Ah the good ol' days. No firewalls to worry about then.
0
 
Irwin SantosComputer Integration SpecialistCommented:
@Robwill...ok, you got me beat..I was 8 in 1971.  12" floppies at the time was made by Verbatim...I remember the fuschia disc holder. BASIC was mine and FORTRAN was next...then archaic Z80 Assembly (a forgotten language)...but I do remember the Timex Sinclair which my Calculus Professor brought to school, just about the Atari 2600 hey-day.

yeah, no firewalls... and hacking then meant that you are a God and not a criminal. ;-)
0
 
Rob WilliamsCommented:
I was only 5 in 1971, started early  :-)
Actually I was starting high school at the time, and as a bit of a math wiz was sent to the local university to sit in on some very basic computer classes. Quite a thrill then. Turned 50 this year, so I'm not too much older.
Guess were kind of off topic here, but minds drift as they get older... sorry kiedas28.
--Rob
0
 
Irwin SantosComputer Integration SpecialistCommented:
Ha!!
0
 
kiedas28Author Commented:
No problem it is very amusing reading your thoughts on the subject I love the "I remember whens..."  I am on the younger end of the stick but I remember when my father was trying to get us kids into the computer thing.  So it is fun for me to read your thoughts on the subject.  

Also thank you for your input on the ports I appreciate it. Will let you all know how it goes.
--kiedas28
0
 
Rob WilliamsCommented:
kiedas28, won't belong before you are doing the "remember when thing". Surprising how fast time goes.

As for the ports, give it a shot but as mentioned do not open these to the Internet it could be disastrous. However, I am also wondering why they would be closed down within a network, even between subnets, as most are required for a Windows network to function properly.
--Rob

ps- the ports I listed are mixed UDP and TCP, I can provide details but would recommend just allowing both, as a couple do use either.
Good luck.
0
 
michael_heringCommented:
Kiedas28,

I think that there is a "big picture" problem here. I think the members of the forum need to know a little more before a solution can be provided. Is the remote office hooked up via VPN? This is a critical question. How is the traffic being routed to your main campus? If not via VPN then you are opening your network up to all kinds of problems.
0
 
Rob WilliamsCommented:
Thanks kiedas28,
--Rob
0
 
Irwin SantosComputer Integration SpecialistCommented:
cool .thank you!
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

  • 10
  • 9
  • 5
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now