V
V
Vertizo2022-03-22 15:26:30
Active Directory
Vertizo, 2022-03-22 15:26:30

Ports for domain controllers to work outside the corporate network?

There is a need to maximally cover access to outside domain controllers. Without thinking ahead, yesterday we set up filtering, leaving only the necessary ports and url for external resources. Stopped working DNS within the network, while disabled.
What ports need to be left open outside for correct operation of domain controllers in addition to the following ports:
53, 49152-65535/TCP/UDP 53/TCP/UDP DNS
49152-65535/UDP 123/UDP W32Time
49152-65535/TCP/UDP 389/ TCP/UDP LDAP

49152-65535/TCP 636/TCP LDAP SSL - ?
49152-65535/TCP 3268/TCP LDAP GC - ?
49152-65535/TCP 3269/TCP LDAP GC SSL - ?
1024-65535/TCP/UDP 88/TCP/UDP Kerberos - ?


Synchronization with an external service via LDAP and authorization via AD FS are used.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
H
hint000, 2022-03-23
@Vertizo

1024-65535/TCP/UDP
No need to filter by outgoing port numbers (Client Port). Rather, this kind of filtering is required in very rare cases and with a full understanding that it is exactly what is required; you don't have that case. Filter only incoming packets by incoming port numbers (Server Port).
The port numbers are listed here (and they match what you wrote).
https://docs.microsoft.com/en-US/troubleshoot/wind...

T
TheBigBear, 2022-03-22
@TheBigBear

DNS has not stopped working for you. It's just that your CD DNS server has stopped seeing the forwarder. You can close port 53, leaving access
only to certain external DNS servers (specified in the forwarder server tab)
.h required external DNS servers)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question