Configuring and Troubleshooting Firewalls with DS

Configuring and Troubleshooting Firewalls with DS



Based on our previous discussions, I wanted to provide you with good information on configuring and troubleshooting firewalls to work with Active Directory. Understanding and using this documentation will likely save you from issues down the road, as Firewalls require considerable tuning to work with AD and are a frequent call generator here due to configuration issues. I hope you find this useful!

How to configure a firewall for domains and trusts - http://support.microsoft.com/default.aspx?scid=kb;en-us;179442

A brief matrix of the standard port requirements for NT, 2000, and 2003 directory services. Some of these ports can be modified further with the articles below, specifically to control RPC traffic.
Active Directory Replication over Firewalls - http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx

An extensive guide to configuration of a firewall for AD replication. Includes examples and step by step sections, as well as background information on the process. This also includes details on using IPSEC to ensure that the communication is more secure.

How to configure RPC dynamic port allocation to work with firewalls - http://support.microsoft.com/default.aspx?scid=kb;en-us;154596

Information on the registry values that can modified to allow more controlled use of RPC through a firewall. the article also gives some recommendations on the minimum number of ports to keep open to prevent possible RPC endpoint exhaustion.

How to configure RPC to use certain ports and how to help secure those ports by using IPsec - http://support.microsoft.com/default.aspx?scid=kb;en-us;908472

A more advanced version of the 154596 article, which includes more information on using IPSEC along with the RPCcfg tool. Again, it is important to use caution when restricting RPC on domain controllers, as they use far more connections than an average machine and can be crippled by overzealous firewall administration.

You experience a long delay when you log on to a domain through a NAT server - http://support.microsoft.com/default.aspx?scid=kb;en-us;843427

A short and sweet article which explains why you cannot use NAT between DC's, or clients and DC's, without crippling Kerberos. One of the core elements of Kerberos is that it (by default) packages the originating computer IP addresses in its packets, and NAT will lead to the KDC believing there is a packet spoofing attack going on.

Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based computers - http://support.microsoft.com/default.aspx?scid=kb;en-us;899148
Finally, an article on changes to RPC in Windows Server 2003 SP1 and the impact it can have if your firewall software is out of date, along with workarounds that can be put in place in the meantime.