Answer the question
In order to leave comments, you need to log in
V
V
Vertizo2022-03-22 15:26:30
Vertizo, 2022-03-22 15:26:30
Ports for domain controllers to work outside the corporate network?
There is a need to maximally cover access to outside domain controllers. Without thinking ahead, yesterday we set up filtering, leaving only the necessary ports and url for external resources. Stopped working DNS within the network, while disabled.
What ports need to be left open outside for correct operation of domain controllers in addition to the following ports:
53, 49152-65535/TCP/UDP 53/TCP/UDP DNS
49152-65535/UDP 123/UDP W32Time
49152-65535/TCP/UDP 389/ TCP/UDP LDAP
49152-65535/TCP 636/TCP LDAP SSL - ?
49152-65535/TCP 3268/TCP LDAP GC - ?
49152-65535/TCP 3269/TCP LDAP GC SSL - ?
1024-65535/TCP/UDP 88/TCP/UDP Kerberos - ?
Synchronization with an external service via LDAP and authorization via AD FS are used.
2 answer(s)
@Vertizo
The port numbers are listed here (and they match what you wrote).
https://docs.microsoft.com/en-US/troubleshoot/wind...
@TheBigBear
H
hint000, 2022-03-23 @Vertizo
1024-65535/TCP/UDPNo need to filter by outgoing port numbers (Client Port). Rather, this kind of filtering is required in very rare cases and with a full understanding that it is exactly what is required; you don't have that case. Filter only incoming packets by incoming port numbers (Server Port).
The port numbers are listed here (and they match what you wrote).
https://docs.microsoft.com/en-US/troubleshoot/wind...
T
TheBigBear, 2022-03-22 @TheBigBear
DNS has not stopped working for you. It's just that your CD DNS server has stopped seeing the forwarder.
You can close port 53, leaving access
only to certain external DNS servers (specified in the forwarder server tab)
.h required external DNS servers)
Similar questions
I
T
S
A
K
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question