Security Basics mailing list archives
RE: Ports between ISA and DC
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 28 Jan 2005 08:32:32 -0500
I haven't placed ISA in a DMZ or sniff it's traffic to find out for sure, but here's the documented ports. Of course, you want to make sure that traffic to and from it, for authentication, is to and from DMZ to LAN only. 53-for DNS, maybe, so clients can find SRV and Global Catalog records 88-for Kerberos authentication 135-for RPC, but make it a complex filter because the endpoint mapper will open up other ports. 389-for LDAP (i.e. Active Directory) 464-Kerberos 500-for IPSec if you use that 636-for LDAP over SSL (if you use it) 1701-L2TP if you use it 1723-for PPTP if you use it 4500-for IPSec You could have other issues, when trying to authenticate over the Internet, such as Kerberos won't work over the Internet and IPSec/L2TP must use NAT Transversal. Good luck. -----Original Message----- From: sf_mail_sbm () yahoo com [mailto:sf_mail_sbm () yahoo com] Sent: Thursday, January 27, 2005 3:49 AM To: security-basics () securityfocus com Subject: Ports between ISA and DC Hi List, I have the following config ____ INTERNET <------| FW |--------> Domain Controller (in LOCAL LAN) | | ----- ISA (in DMZ) ISA is doing Web Proxy only Only users in a particular user group can access the web Trying to find out the ports that ISA needs to talk with the DC for authentication of users instead of opening all ports on the Firewall Could not find same from Microsoft site If someone knows the ports that need to be opened, please share it with us Thanks, Ronish
Current thread:
- Ports between ISA and DC sf_mail_sbm (Jan 27)
- Re: Ports between ISA and DC HernĂ¡n M . Racciatti (Jan 28)
- <Possible follow-ups>
- RE: Ports between ISA and DC Roger A. Grimes (Jan 28)
- RE: Ports between ISA and DC Price, Robert H (Jan 28)