[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Firewall port to open in CISCO device to allow Forefront TMG 2010 to join domain and publish Exchange 2007 ?

Posted on 2011-04-28
7
Medium Priority
?
1,127 Views
Last Modified: 2012-05-11
Hi All,

Does anyone know what server ports that I need to open/allow in the hardware firewall between DMZ and internal LAN ?

at the moment I opened port 443 (SSL) and port 389 so that my TMG can talk to the Domain Controller but I still cannot join the domain ?

FYI: my TMG 2010 std is in DMZ while the domain controllers are in internal LAN. Between the zone i have cisco firewall in place.

Thanks.
0
Comment
Question by:jjoz
  • 4
  • 3
7 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35489257
Why are you using a cisco firewall AND FTMG??
0
 
LVL 1

Author Comment

by:jjoz
ID: 35489265
oh I mean I implement IP access list to make it secure further between zone.
I am still wondering why port 443 and 389 is not enough to join this TMG2010 into the domain ?
0
 
LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 2000 total points
ID: 35489288
You will need RPC ports, DNS ports, LDAP ports.  This is why I questioned the use of 2 firewalls.

FTMG is a firewall in it's own right, there should be no need to "secure" the route between FTMG and your internal network with another firewall.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:jjoz
ID: 35489310
Thanks for the reply

so it seems that port 443 and 389 is not enough, so I'll have to open the following ports:


DNS (53/tcp and 53/udp)
Kerberos-Adm (UDP) (749/udp)
Kerberos-Sec (TCP) (88/tcp)
Kerberos-Sec (UDP) (88/udp)
LDAP (389/tcp)
LDAP UDP (389/udp)
LDAP GC (Global Catalog) (3268/tcp)
Microsoft CIFS (TCP) (445/tcp)
Microsoft CIFS (UDP) (445/udp)
NTP (UDP) (123/udp)
PING (ICMP Type 8)
RPC (all interfaces) (135/tcp)

is that all what I should open ?

I didn't knew that it was so many ports to open just to join the domain and enable the Kerberos Constrained Delegation.
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 2000 total points
ID: 35489324
I don't know the actual port numbers but that list certainly looks correct.

The FTMG can have a connection on the internal network and be configured as your firewall.  There should be no need to use a second firewall.
0
 
LVL 1

Author Comment

by:jjoz
ID: 35489325
ah cool.
thanks for the confirmation.
0
 
LVL 1

Author Closing Comment

by:jjoz
ID: 35489326
thanks man !
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question