Authentication Ports

Hi,
I am setting up a point to point T1 in addition to an IPSec tunnel between 2
offices. In order for everything to communicate with the equipment were
using, I will need the port# for exchange email, system traffic and the port
which Active Directory uses to authenticate users. Does anyone know the
answer to this? Thanks.

Mitch

"Mitch" <Mitch@discussions.microsoft.com> wrote in message
news:23FA4A82-0F3B-4364-A7DE-F1F1BB188263@microsoft.com...
> Hi,
> I am setting up a point to point T1 in addition to an IPSec tunnel between
> 2
> offices. In order for everything to communicate with the equipment were
> using, I will need the port# for exchange email, system traffic and the
> port
> which Active Directory uses to authenticate users. Does anyone know the
> answer to this? Thanks.
>
> Mitch


You are better off just opening the VPN wide open between the locations. The
VPN will secure the traffic anyway, so no worries.

Otherwise you must open up a slew of ports to the point it swiss-cheeses the
firewall. In addition the Default emepheral ports need to be opened. They
are the random service ports that Windows uses to communicate, and are
required by AD. They are UDP 1024 - 65535 (See KB179442), but for Vista and
Windows 2008 it's different. Their default start port is UDP 49152, and the
default end port is UDP 65535 (see KB899148).

Have a read on the following:

==================================================================================================== ==
==================================================================================================== ==

Active Directory Firewall ports

Active Directory Replication over FirewallsJan 31, 2006. Active Directory
relies on remote procedure call (RPC)
http://technet.microsoft.com/en-us/l.../bb727063.aspx

How to configure a firewall for domains and trusts
http://support.microsoft.com/?id=179442

Configuring an Intranet Firewall, Apr 14, 2006. Protocol ports required for
the intranet firewall.
Ports required for Active Directory and Kerberos communications
http://technet.microsoft.com/en-us/l.../bb125069.aspx

Active Directory and Firewall PortsI found it hard to find a definitive list
on the internet for what ports needed opening for Active Directory to
replication between Firewalls. ...
http://geekswithblogs.net/TSCustomis...09/112357.aspx




--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

You'd be better off to just decide what you don't want to allow and create
explicit "Deny based" rules for those. Then what isn't explicitly denied
you will allow with a global Allow Rule that follows the Deny Rules. But it
won't be much because every juicy protocol a hacker would ever want to sink
his teeth into you would have allowed it.

I'd to the same as Ace. Just forget filtering completely,..there is
"nothing left" to make it worth the trouble. The IPSec VPN, by definition,
is already a secured connection.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Mitch" <Mitch@discussions.microsoft.com> wrote in message
news:23FA4A82-0F3B-4364-A7DE-F1F1BB188263@microsoft.com...
> Hi,
> I am setting up a point to point T1 in addition to an IPSec tunnel between
> 2
> offices. In order for everything to communicate with the equipment were
> using, I will need the port# for exchange email, system traffic and the
> port
> which Active Directory uses to authenticate users. Does anyone know the
> answer to this? Thanks.
>
> Mitch