- Ports required for DMZ Windows 2003
- Posted by GKnight on December 14th, 2005
We have some IIS servers on our DMZ and want to restrict as much as possible
the port communication between them and our domain.
We require the ability to authenticate with a domain user. Can anyone
advise which ports are required for the server on the DMZ to communicate
with the internal domain?
Many Thanks
Glen
- Posted by Seirius on December 14th, 2005
You need the firewall opened up to allow "AD speak". The minimum would be the
following:
389/TCP : LDAP to Directory Service
389/UDP : LDAP to Directory Service
3268/TCP : LDAP to Global Catalog Server
88/TCP : Kerberos Authentication
88/UDP : Kerberos Authentication
53/TCP : DNS Lookup
53/UDP : DNS Lookup
135/TCP : RPC port endpoint mapper
1024+/TCP : RPC dynamic
Note that it is advisable to restrict RPC traffic by opening one port only
rather than all ports above 1024. See
http://support.microsoft.com/?kbID=224196 how to do this. Howver, in your
case, since you are concerned with a DMZ server, you may decide this is not
necessary. Also note that the ports listed have not allowed for any web
browsing of IIS servers in your DMZ.
"GKnight" wrote:
- Windows 2003 Server Ports for outside the firewall (Windows Server) by johnpaul.temple@gmail.com
- Windows 2003 SP1 blocking ports (Windows Server) by Jeff Diaz
- Windows 2003 SP1 on DC's.. Block ports (Windows Server) by toms1616@optonline.net
- Help required for ADS in Windows 2003 server (Windows Server) by A.lakshminarayanan
- Open Ports on Windows 2003 (Windows Server) by
