Solved

What ports should i open if i want to connect a server to a domain using SLDAP?

Posted on 2013-06-18
5
472 Views
Last Modified: 2013-07-21
Hello,
I have a server that is in the DMZ network and i need to connect it as a member server of our Domain inside the LAN.

I know (Please correct me if i'm wrong) that the following ports should be opened from the server to all the DC's in the domain.

TCP 135 : MS-RPC
TCP 1025 & 1026 : AD Login & replication
TCP 389 : LDAP
TCP & UDP 53 : DNS
TCP 445 : SMB , Microsoft-ds
TCP 139 : SMB
UDP 137 & 138 : NetBIOS related
UDP 88 : Kerberos v5


My question is, If I want a secure connection (since it's in the DMZ), is it enough if i simply replace the TCP 389 port with 636 (SLDAP) port? Will I still need to open the remaining ports? and if so, is it still considered a secured connection (since i presume all other connections are not secured)
0
Comment
Question by:johnnyjonathan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 17

Accepted Solution

by:
lruiz52 earned 500 total points
ID: 39258147
Best thing to do would be to setup an RODC in the DMZ. you will have to open all the ports you mentioned plus 636SLDP and 3269GC.

check the link below.;

http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx

http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx
0
 
LVL 13

Expert Comment

by:Jaihunt
ID: 39258664
0
 

Author Comment

by:johnnyjonathan
ID: 39259507
Thanks for both answers, RODC isn't an option since i'm using 2003.
I can use IPSEC, however here's my question.

I want to confirm that SLDAP isn't enough, i'll still need to open the remaining ports I've mentioned, however, from a security standpoint (not technical, since that one is explained in the articles you provided) it's a problem. are there any other secure ports to use if we want to go SLDAP? otherwise, what's the point of SLDAP if the remaining ports are not secured.
0
 
LVL 9

Expert Comment

by:Zenvenky
ID: 39261752
Agree with Jaihunt and lruiz52. In addition I would suggest you to check these links as a reference, so that you can decide what to do SLDAP and its ports.

How A Criminal Might Infiltrate Your Network

This link is just reference: http://technet.microsoft.com/en-us/library/dd728030(WS.10).aspx
0
 

Author Closing Comment

by:johnnyjonathan
ID: 39343015
Great tip, thanks!
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Trojan 28 111
VPN  services - questions and recommendations 7 50
Can't ping new computer 17 48
Active Directory permissions 5 33
In-place Upgrading Dirsync to Azure AD Connect
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question