Solved

Active Directory authentication across Cisco ASA Firewall

Posted on 2013-05-15
5
3,154 Views
Last Modified: 2013-05-16
I have a server in a DMZ that I need to authenticate to Active Directory.  What I am using as a test right now is gpupdate.  I can open up all TCP ports to the domain controller and gpupdate works fine.  However, if I lock down TCP ports and only allow recommended TCP ports (ldap,445,135,389,1026) it still will not work.  I have read that this is probably because of some dynamic ports that are needed because of the way microsoft works.  I also have read that this can be achieved by using DCERPC inspection, but I have tried enabling that also with no luck.  When I run debug on DCERPC and try to run gpupdate I can see debug information but I am not real sure what it means.

I need to be able to authenticate to AD/GP but not open up more than I have to because this is a server in a DMZ.
0
Comment
Question by:ddftech
5 Comments
 
LVL 21

Expert Comment

by:mcsween
ID: 39168579
You need to make a couple registry changes to limit the RPC dynamic ports to a smaller range then open this range on your firewall.

http://support.microsoft.com/kb/154596

This link outlines all ports used by Active Directory -
http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
0
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 500 total points
ID: 39168595
hi ddftech

AD authentication is based on Kerberos protocol which works over TCP and UDP port 88 by default. Hence the ports should be opened on firewalls, too.

see below for more port requirements.

Active Directory and Active Directory Domain Services Port Requirements
http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx

hope it helps,
bbao
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 39168651
Logging into the domain through a Firewall

Note this is to log in - NOT for Exchange, SQL or a Domain Controller, I’ve not tried those so I can't comment.

The following ports have to be open from the outside (or DMZ) to the domain controllers.
NB: I know having these open from outside/DMZ has security implications but sometimes it needs to be done.

Ports open from DMZ\Outside


UDP      domain            53
TCP      domain            53
UDP      Kerberos            88
TCP      Kerberos            88
UDP      Time                  123
TCP      Kerberos Auth      135
UDP      netbios-ns            137
TCP      netbios-ssn            139
TCP      ldap                  389
UDP      ldap                  389
TCP      microsoft-ds            445
TCP      ldap to GC            3268

However the process still fails (or runs like a two legged dog and appears to work) this is because of the RPC system that runs on the domain controllers, when you log in the client fires up a communication over port 135 the Domain controller, which then fires back a port number it wants to communicate with the client over (this can be any numberbetween 49152 and 65535) your firewall lets this through outbound.

When it hits your client, it tries to open comms on that port, which is inevitably blocked on the firewall

When this happens you will see errors like

Error 1053
There are no more endpoints available from the endpoint mapper.

if you run netdiag on the machine you will see errors like
[WARNING] Cannot call DsBind to servername.domain_name.com (<ip address>). [EPT_S_NOT_REGISTERED]

There are two ways to solve the problem

1. Open every port  between 49152 and 65535) on your firewall, however this is about as sensible as eating yellow snow.

2. Change the way your domain controller handles RPC requests,

NOTE this must be done on EVERY domain controller

Click Start > Run > regedit {enter}

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\

Create a new DWORD value called "TCP/IP Port"  (remove the quotes and include the space)double click it and change the "base" to decimal type in a port number (between 1024and 65000) for the sake of argument use 1024 Exit the Registry Editor and you MUST reboot the server.

Now go back to the Firewall and open the following port

 
TCP      static RPC      1024


Now the process will work.
0
 
LVL 21

Expert Comment

by:mcsween
ID: 39168752
You should set the RPC range to at least 100 ports and do not use 1024, you should use something between 49152 and 65535.

I could be wrong as I haven't done this in a while but I think this is done on the server in the DMZ; not your domain controller...
0
 

Author Closing Comment

by:ddftech
ID: 39172391
Everything else I had put in was working properly, but somehow I had missed port 88.  I put it in and it works like a charm.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now