RE: Ports between ISA and DC

["Roger A. Grimes" <roger () banneretcs com>]

I haven't placed ISA in a DMZ or sniff it's traffic to find out for
sure, but here's the documented ports. Of course, you want to make sure
that traffic to and from it, for authentication, is to and from DMZ to
LAN only.

53-for DNS, maybe, so clients can find SRV and Global Catalog records
88-for Kerberos authentication
135-for RPC, but make it a complex filter because the endpoint mapper
will open up other ports.
389-for LDAP (i.e. Active Directory)
464-Kerberos
500-for IPSec if you use that
636-for LDAP over SSL (if you use it)
1701-L2TP if you use it
1723-for PPTP if you use it
4500-for IPSec

You could have other issues, when trying to authenticate over the
Internet, such as Kerberos won't work over the Internet and IPSec/L2TP
must use NAT Transversal.

Good luck.

-----Original Message-----
From: sf_mail_sbm () yahoo com [mailto:sf_mail_sbm () yahoo com] 
Sent: Thursday, January 27, 2005 3:49 AM
To: security-basics () securityfocus com
Subject: Ports between ISA and DC



Hi List,

I have the following config


                     
                 ____
INTERNET <------| FW |--------> Domain Controller (in LOCAL LAN)
                   |
                   |
                 -----
                  ISA (in DMZ)

ISA is doing Web Proxy only

Only users in a particular user group can access the web

Trying to find out the ports that ISA needs to talk with the DC for
authentication of users instead of opening all ports on the Firewall

Could not find same from Microsoft site

If someone knows the ports that need to be opened, please share it with
us

Thanks,
Ronish