Firewall port to open in CISCO device to allow Forefront TMG 2010 to join domain and publish Exchange 2007 ?

Posted on 2011-04-28
Last Modified: 2012-05-11
Hi All,

Does anyone know what server ports that I need to open/allow in the hardware firewall between DMZ and internal LAN ?

at the moment I opened port 443 (SSL) and port 389 so that my TMG can talk to the Domain Controller but I still cannot join the domain ?

FYI: my TMG 2010 std is in DMZ while the domain controllers are in internal LAN. Between the zone i have cisco firewall in place.

Question by:jjoz
    LVL 74

    Expert Comment

    by:Glen Knight
    Why are you using a cisco firewall AND FTMG??
    LVL 1

    Author Comment

    oh I mean I implement IP access list to make it secure further between zone.
    I am still wondering why port 443 and 389 is not enough to join this TMG2010 into the domain ?
    LVL 74

    Assisted Solution

    by:Glen Knight
    You will need RPC ports, DNS ports, LDAP ports.  This is why I questioned the use of 2 firewalls.

    FTMG is a firewall in it's own right, there should be no need to "secure" the route between FTMG and your internal network with another firewall.
    LVL 1

    Author Comment

    Thanks for the reply

    so it seems that port 443 and 389 is not enough, so I'll have to open the following ports:

    DNS (53/tcp and 53/udp)
    Kerberos-Adm (UDP) (749/udp)
    Kerberos-Sec (TCP) (88/tcp)
    Kerberos-Sec (UDP) (88/udp)
    LDAP (389/tcp)
    LDAP UDP (389/udp)
    LDAP GC (Global Catalog) (3268/tcp)
    Microsoft CIFS (TCP) (445/tcp)
    Microsoft CIFS (UDP) (445/udp)
    NTP (UDP) (123/udp)
    PING (ICMP Type 8)
    RPC (all interfaces) (135/tcp)

    is that all what I should open ?

    I didn't knew that it was so many ports to open just to join the domain and enable the Kerberos Constrained Delegation.
    LVL 74

    Accepted Solution

    I don't know the actual port numbers but that list certainly looks correct.

    The FTMG can have a connection on the internal network and be configured as your firewall.  There should be no need to use a second firewall.
    LVL 1

    Author Comment

    ah cool.
    thanks for the confirmation.
    LVL 1

    Author Closing Comment

    thanks man !

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Set OWA language and time zone in Exchange for individuals, all users or per database.
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now