Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.
COURSE of the MONTH
10 days, 3 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
What ports should i open if i want to connect a server to a domain using SLDAP?
Posted on 2013-06-18
Hello,
I have a server that is in the DMZ network and i need to connect it as a member server of our Domain inside the LAN.
I know (Please correct me if i'm wrong) that the following ports should be opened from the server to all the DC's in the domain.
TCP 135 : MS-RPC
TCP 1025 & 1026 : AD Login & replication
TCP 389 : LDAP
TCP & UDP 53 : DNS
TCP 445 : SMB , Microsoft-ds
TCP 139 : SMB
UDP 137 & 138 : NetBIOS related
UDP 88 : Kerberos v5
My question is, If I want a secure connection (since it's in the DMZ), is it enough if i simply replace the TCP 389 port with 636 (SLDAP) port? Will I still need to open the remaining ports? and if so, is it still considered a secured connection (since i presume all other connections are not secured)
I have a server that is in the DMZ network and i need to connect it as a member server of our Domain inside the LAN.
I know (Please correct me if i'm wrong) that the following ports should be opened from the server to all the DC's in the domain.
TCP 135 : MS-RPC
TCP 1025 & 1026 : AD Login & replication
TCP 389 : LDAP
TCP & UDP 53 : DNS
TCP 445 : SMB , Microsoft-ds
TCP 139 : SMB
UDP 137 & 138 : NetBIOS related
UDP 88 : Kerberos v5
My question is, If I want a secure connection (since it's in the DMZ), is it enough if i simply replace the TCP 389 port with 636 (SLDAP) port? Will I still need to open the remaining ports? and if so, is it still considered a secured connection (since i presume all other connections are not secured)
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
2
- +1
5 Comments
Best thing to do would be to setup an RODC in the DMZ. you will have to open all the ports you mentioned plus 636SLDP and 3269GC.
check the link below.;
http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
check the link below.;
http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx
http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
Configure IPSEC between DC's for secure connections. please check the below links it will help you.
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27023252.html
http://blogs.technet.com/b/luistog/archive/2012/05/08/restricting-ad-replication-traffic-between-dcs-to-only-a-few-ports.aspx
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27023252.html
http://blogs.technet.com/b/luistog/archive/2012/05/08/restricting-ad-replication-traffic-between-dcs-to-only-a-few-ports.aspx
Active 4 days ago
Thanks for both answers, RODC isn't an option since i'm using 2003.
I can use IPSEC, however here's my question.
I want to confirm that SLDAP isn't enough, i'll still need to open the remaining ports I've mentioned, however, from a security standpoint (not technical, since that one is explained in the articles you provided) it's a problem. are there any other secure ports to use if we want to go SLDAP? otherwise, what's the point of SLDAP if the remaining ports are not secured.
I can use IPSEC, however here's my question.
I want to confirm that SLDAP isn't enough, i'll still need to open the remaining ports I've mentioned, however, from a security standpoint (not technical, since that one is explained in the articles you provided) it's a problem. are there any other secure ports to use if we want to go SLDAP? otherwise, what's the point of SLDAP if the remaining ports are not secured.
Agree with Jaihunt and lruiz52. In addition I would suggest you to check these links as a reference, so that you can decide what to do SLDAP and its ports.
How A Criminal Might Infiltrate Your Network
This link is just reference: http://technet.microsoft.com/en-us/library/dd728030(WS.10).aspx
How A Criminal Might Infiltrate Your Network
This link is just reference: http://technet.microsoft.com/en-us/library/dd728030(WS.10).aspx
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Let's recap what we learned from yesterday's Skyport Systems webinar.
- Ransomware
- Experts Exchange
- Skyport Systems
- Active Directory
- Security
- *privileged credentials
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008.
Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages?
You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month10 days, 3 hours left to enroll
762 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.