Randomly allocated high tcp ports on both client/server?

  • Thread starter Thread starter study
  • Start date Start date
S

study

We unfortunately have a firewall (hardware based not the host based) between
this one client (only one, the others are on our LAN) and our domain
controller.
Outgoing traffic are not blocked on either side.

We won't modify the registry to use a static port for RPC for some reason.
And we can't use the VPN.
So on the hardware firewall that's protecting the domain controller (no host
based firewall) side, we're going to allow all traffic from that one client
to the domain controller.

On the client side (on the hardware firewall, there's no host based firewall
on the client) the usual MS ports are open ex) 135, 137 U, 138 U, 139, 445.
Do we need to open the dynamic ports on the firewall that's protecting the
client side 1024:65535 or just by opening all traffic on the domain
controller side as I mentioned above will take care of the traffic?

Thanks
 
"We won't modify the registry to use a static port for RPC for some
reason." - is that a legitimate reason? Your other options are opening range
of ports between the hosts, allowing all traffic between the client and the
DC, and decommisioning the hardware firewall. I would start with fixing the
port.


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"study" <study@discussions.microsoft.com> wrote in message
news:45687FA1-EA85-45C6-8B6C-492B8CC2D9B9@microsoft.com...
> We unfortunately have a firewall (hardware based not the host based)
> between
> this one client (only one, the others are on our LAN) and our domain
> controller.
> Outgoing traffic are not blocked on either side.
>
> We won't modify the registry to use a static port for RPC for some reason.
> And we can't use the VPN.
> So on the hardware firewall that's protecting the domain controller (no
> host
> based firewall) side, we're going to allow all traffic from that one
> client
> to the domain controller.
>
> On the client side (on the hardware firewall, there's no host based
> firewall
> on the client) the usual MS ports are open ex) 135, 137 U, 138 U, 139,
> 445.
> Do we need to open the dynamic ports on the firewall that's protecting the
> client side 1024:65535 or just by opening all traffic on the domain
> controller side as I mentioned above will take care of the traffic?
>
> Thanks
 
Thanks for the reply.
So the high tcp ports need to be opened on the client side as well even
though the client is initiating the connection and the outbound traffic are
not blocked?
I was hoping that we just needed to open the ports on the DC side.

"S. Pidgorny <MVP>" wrote:

> "We won't modify the registry to use a static port for RPC for some
> reason." - is that a legitimate reason? Your other options are opening range
> of ports between the hosts, allowing all traffic between the client and the
> DC, and decommisioning the hardware firewall. I would start with fixing the
> port.
>
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "study" <study@discussions.microsoft.com> wrote in message
> news:45687FA1-EA85-45C6-8B6C-492B8CC2D9B9@microsoft.com...
> > We unfortunately have a firewall (hardware based not the host based)
> > between
> > this one client (only one, the others are on our LAN) and our domain
> > controller.
> > Outgoing traffic are not blocked on either side.
> >
> > We won't modify the registry to use a static port for RPC for some reason.
> > And we can't use the VPN.
> > So on the hardware firewall that's protecting the domain controller (no
> > host
> > based firewall) side, we're going to allow all traffic from that one
> > client
> > to the domain controller.
> >
> > On the client side (on the hardware firewall, there's no host based
> > firewall
> > on the client) the usual MS ports are open ex) 135, 137 U, 138 U, 139,
> > 445.
> > Do we need to open the dynamic ports on the firewall that's protecting the
> > client side 1024:65535 or just by opening all traffic on the domain
> > controller side as I mentioned above will take care of the traffic?
> >
> > Thanks
>
>
>
 
Yes, that's the DC side.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"study" <study@discussions.microsoft.com> wrote in message
news:C3A54387-2A80-4402-B651-B9C1F7A6E310@microsoft.com...
> Thanks for the reply.
> So the high tcp ports need to be opened on the client side as well even
> though the client is initiating the connection and the outbound traffic
> are
> not blocked?
> I was hoping that we just needed to open the ports on the DC side.
>
> "S. Pidgorny <MVP>" wrote:
>
>> "We won't modify the registry to use a static port for RPC for some
>> reason." - is that a legitimate reason? Your other options are opening
>> range
>> of ports between the hosts, allowing all traffic between the client and
>> the
>> DC, and decommisioning the hardware firewall. I would start with fixing
>> the
>> port.
>>
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>> "study" <study@discussions.microsoft.com> wrote in message
>> news:45687FA1-EA85-45C6-8B6C-492B8CC2D9B9@microsoft.com...
>> > We unfortunately have a firewall (hardware based not the host based)
>> > between
>> > this one client (only one, the others are on our LAN) and our domain
>> > controller.
>> > Outgoing traffic are not blocked on either side.
>> >
>> > We won't modify the registry to use a static port for RPC for some
>> > reason.
>> > And we can't use the VPN.
>> > So on the hardware firewall that's protecting the domain controller (no
>> > host
>> > based firewall) side, we're going to allow all traffic from that one
>> > client
>> > to the domain controller.
>> >
>> > On the client side (on the hardware firewall, there's no host based
>> > firewall
>> > on the client) the usual MS ports are open ex) 135, 137 U, 138 U, 139,
>> > 445.
>> > Do we need to open the dynamic ports on the firewall that's protecting
>> > the
>> > client side 1024:65535 or just by opening all traffic on the domain
>> > controller side as I mentioned above will take care of the traffic?
>> >
>> > Thanks
>>
>>
>>
 
Back
Top