I have a server in a DMZ that I need to authenticate to Active Directory. What I am using as a test right now is gpupdate. I can open up all TCP ports to the domain controller and gpupdate works fine. However, if I lock down TCP ports and only allow recommended TCP ports (ldap,445,135,389,1026) it still will not work. I have read that this is probably because of some dynamic ports that are needed because of the way microsoft works. I also have read that this can be achieved by using DCERPC inspection, but I have tried enabling that also with no luck. When I run debug on DCERPC and try to run gpupdate I can see debug information but I am not real sure what it means.
I need to be able to authenticate to AD/GP but not open up more than I have to because this is a server in a DMZ.