• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1132
  • Last Modified:

Firewall port to open in CISCO device to allow Forefront TMG 2010 to join domain and publish Exchange 2007 ?

Hi All,

Does anyone know what server ports that I need to open/allow in the hardware firewall between DMZ and internal LAN ?

at the moment I opened port 443 (SSL) and port 389 so that my TMG can talk to the Domain Controller but I still cannot join the domain ?

FYI: my TMG 2010 std is in DMZ while the domain controllers are in internal LAN. Between the zone i have cisco firewall in place.

  • 4
  • 3
2 Solutions
Glen KnightCommented:
Why are you using a cisco firewall AND FTMG??
jjozAuthor Commented:
oh I mean I implement IP access list to make it secure further between zone.
I am still wondering why port 443 and 389 is not enough to join this TMG2010 into the domain ?
Glen KnightCommented:
You will need RPC ports, DNS ports, LDAP ports.  This is why I questioned the use of 2 firewalls.

FTMG is a firewall in it's own right, there should be no need to "secure" the route between FTMG and your internal network with another firewall.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

jjozAuthor Commented:
Thanks for the reply

so it seems that port 443 and 389 is not enough, so I'll have to open the following ports:

DNS (53/tcp and 53/udp)
Kerberos-Adm (UDP) (749/udp)
Kerberos-Sec (TCP) (88/tcp)
Kerberos-Sec (UDP) (88/udp)
LDAP (389/tcp)
LDAP UDP (389/udp)
LDAP GC (Global Catalog) (3268/tcp)
Microsoft CIFS (TCP) (445/tcp)
Microsoft CIFS (UDP) (445/udp)
NTP (UDP) (123/udp)
PING (ICMP Type 8)
RPC (all interfaces) (135/tcp)

is that all what I should open ?

I didn't knew that it was so many ports to open just to join the domain and enable the Kerberos Constrained Delegation.
Glen KnightCommented:
I don't know the actual port numbers but that list certainly looks correct.

The FTMG can have a connection on the internal network and be configured as your firewall.  There should be no need to use a second firewall.
jjozAuthor Commented:
ah cool.
thanks for the confirmation.
jjozAuthor Commented:
thanks man !
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now