ddftech
asked on
Active Directory authentication across Cisco ASA Firewall
I have a server in a DMZ that I need to authenticate to Active Directory. What I am using as a test right now is gpupdate. I can open up all TCP ports to the domain controller and gpupdate works fine. However, if I lock down TCP ports and only allow recommended TCP ports (ldap,445,135,389,1026) it still will not work. I have read that this is probably because of some dynamic ports that are needed because of the way microsoft works. I also have read that this can be achieved by using DCERPC inspection, but I have tried enabling that also with no luck. When I run debug on DCERPC and try to run gpupdate I can see debug information but I am not real sure what it means.
I need to be able to authenticate to AD/GP but not open up more than I have to because this is a server in a DMZ.
I need to be able to authenticate to AD/GP but not open up more than I have to because this is a server in a DMZ.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Logging into the domain through a Firewall
Note this is to log in - NOT for Exchange, SQL or a Domain Controller, I’ve not tried those so I can't comment.
The following ports have to be open from the outside (or DMZ) to the domain controllers.
NB: I know having these open from outside/DMZ has security implications but sometimes it needs to be done.
Ports open from DMZ\Outside
UDP domain 53
TCP domain 53
UDP Kerberos 88
TCP Kerberos 88
UDP Time 123
TCP Kerberos Auth 135
UDP netbios-ns 137
TCP netbios-ssn 139
TCP ldap 389
UDP ldap 389
TCP microsoft-ds 445
TCP ldap to GC 3268
However the process still fails (or runs like a two legged dog and appears to work) this is because of the RPC system that runs on the domain controllers, when you log in the client fires up a communication over port 135 the Domain controller, which then fires back a port number it wants to communicate with the client over (this can be any numberbetween 49152 and 65535) your firewall lets this through outbound.
When it hits your client, it tries to open comms on that port, which is inevitably blocked on the firewall
When this happens you will see errors like
Error 1053
There are no more endpoints available from the endpoint mapper.
if you run netdiag on the machine you will see errors like
[WARNING] Cannot call DsBind to servername.domain_name.com
There are two ways to solve the problem
1. Open every port between 49152 and 65535) on your firewall, however this is about as sensible as eating yellow snow.
2. Change the way your domain controller handles RPC requests,
NOTE this must be done on EVERY domain controller
Click Start > Run > regedit {enter}
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\
Create a new DWORD value called "TCP/IP Port" (remove the quotes and include the space)double click it and change the "base" to decimal type in a port number (between 1024and 65000) for the sake of argument use 1024 Exit the Registry Editor and you MUST reboot the server.
Now go back to the Firewall and open the following port
TCP static RPC 1024
Now the process will work.
Note this is to log in - NOT for Exchange, SQL or a Domain Controller, I’ve not tried those so I can't comment.
The following ports have to be open from the outside (or DMZ) to the domain controllers.
NB: I know having these open from outside/DMZ has security implications but sometimes it needs to be done.
Ports open from DMZ\Outside
UDP domain 53
TCP domain 53
UDP Kerberos 88
TCP Kerberos 88
UDP Time 123
TCP Kerberos Auth 135
UDP netbios-ns 137
TCP netbios-ssn 139
TCP ldap 389
UDP ldap 389
TCP microsoft-ds 445
TCP ldap to GC 3268
However the process still fails (or runs like a two legged dog and appears to work) this is because of the RPC system that runs on the domain controllers, when you log in the client fires up a communication over port 135 the Domain controller, which then fires back a port number it wants to communicate with the client over (this can be any numberbetween 49152 and 65535) your firewall lets this through outbound.
When it hits your client, it tries to open comms on that port, which is inevitably blocked on the firewall
When this happens you will see errors like
Error 1053
There are no more endpoints available from the endpoint mapper.
if you run netdiag on the machine you will see errors like
[WARNING] Cannot call DsBind to servername.domain_name.com
There are two ways to solve the problem
1. Open every port between 49152 and 65535) on your firewall, however this is about as sensible as eating yellow snow.
2. Change the way your domain controller handles RPC requests,
NOTE this must be done on EVERY domain controller
Click Start > Run > regedit {enter}
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\
Create a new DWORD value called "TCP/IP Port" (remove the quotes and include the space)double click it and change the "base" to decimal type in a port number (between 1024and 65000) for the sake of argument use 1024 Exit the Registry Editor and you MUST reboot the server.
Now go back to the Firewall and open the following port
TCP static RPC 1024
Now the process will work.
You should set the RPC range to at least 100 ports and do not use 1024, you should use something between 49152 and 65535.
I could be wrong as I haven't done this in a while but I think this is done on the server in the DMZ; not your domain controller...
I could be wrong as I haven't done this in a while but I think this is done on the server in the DMZ; not your domain controller...
ASKER
Everything else I had put in was working properly, but somehow I had missed port 88. I put it in and it works like a charm.
http://support.microsoft.com/kb/154596
This link outlines all ports used by Active Directory -
http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx