Randomly allocated high tcp ports on both client/server?

S

study

We unfortunately have a firewall (hardware based not the host based) between
this one client (only one, the others are on our LAN) and our domain
controller.
Outgoing traffic are not blocked on either side.

We won't modify the registry to use a static port for RPC for some reason.
And we can't use the VPN.
So on the hardware firewall that's protecting the domain controller (no host
based firewall) side, we're going to allow all traffic from that one client
to the domain controller.

On the client side (on the hardware firewall, there's no host based firewall
on the client) the usual MS ports are open ex) 135, 137 U, 138 U, 139, 445.
Do we need to open the dynamic ports on the firewall that's protecting the
client side 1024:65535 or just by opening all traffic on the domain
controller side as I mentioned above will take care of the traffic?

Thanks
 
S

S. Pidgorny

"We won't modify the registry to use a static port for RPC for some
reason." - is that a legitimate reason? Your other options are opening range
of ports between the hosts, allowing all traffic between the client and the
DC, and decommisioning the hardware firewall. I would start with fixing the
port.


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"study" <study@discussions.microsoft.com> wrote in message
news:45687FA1-EA85-45C6-8B6C-492B8CC2D9B9@microsoft.com...
> We unfortunately have a firewall (hardware based not the host based)
> between
> this one client (only one, the others are on our LAN) and our domain
> controller.
> Outgoing traffic are not blocked on either side.
>
> We won't modify the registry to use a static port for RPC for some reason.
> And we can't use the VPN.
> So on the hardware firewall that's protecting the domain controller (no
> host
> based firewall) side, we're going to allow all traffic from that one
> client
> to the domain controller.
>
> On the client side (on the hardware firewall, there's no host based
> firewall
> on the client) the usual MS ports are open ex) 135, 137 U, 138 U, 139,
> 445.
> Do we need to open the dynamic ports on the firewall that's protecting the
> client side 1024:65535 or just by opening all traffic on the domain
> controller side as I mentioned above will take care of the traffic?
>
> Thanks
 
S

study

Thanks for the reply.
So the high tcp ports need to be opened on the client side as well even
though the client is initiating the connection and the outbound traffic are
not blocked?
I was hoping that we just needed to open the ports on the DC side.

"S. Pidgorny <MVP>" wrote:

> "We won't modify the registry to use a static port for RPC for some
> reason." - is that a legitimate reason? Your other options are opening range
> of ports between the hosts, allowing all traffic between the client and the
> DC, and decommisioning the hardware firewall. I would start with fixing the
> port.
>
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "study" <study@discussions.microsoft.com> wrote in message
> news:45687FA1-EA85-45C6-8B6C-492B8CC2D9B9@microsoft.com...
> > We unfortunately have a firewall (hardware based not the host based)
> > between
> > this one client (only one, the others are on our LAN) and our domain
> > controller.
> > Outgoing traffic are not blocked on either side.
> >
> > We won't modify the registry to use a static port for RPC for some reason.
> > And we can't use the VPN.
> > So on the hardware firewall that's protecting the domain controller (no
> > host
> > based firewall) side, we're going to allow all traffic from that one
> > client
> > to the domain controller.
> >
> > On the client side (on the hardware firewall, there's no host based
> > firewall
> > on the client) the usual MS ports are open ex) 135, 137 U, 138 U, 139,
> > 445.
> > Do we need to open the dynamic ports on the firewall that's protecting the
> > client side 1024:65535 or just by opening all traffic on the domain
> > controller side as I mentioned above will take care of the traffic?
> >
> > Thanks
>
>
>
 
S

S. Pidgorny

Yes, that's the DC side.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"study" <study@discussions.microsoft.com> wrote in message
news:C3A54387-2A80-4402-B651-B9C1F7A6E310@microsoft.com...
> Thanks for the reply.
> So the high tcp ports need to be opened on the client side as well even
> though the client is initiating the connection and the outbound traffic
> are
> not blocked?
> I was hoping that we just needed to open the ports on the DC side.
>
> "S. Pidgorny <MVP>" wrote:
>
>> "We won't modify the registry to use a static port for RPC for some
>> reason." - is that a legitimate reason? Your other options are opening
>> range
>> of ports between the hosts, allowing all traffic between the client and
>> the
>> DC, and decommisioning the hardware firewall. I would start with fixing
>> the
>> port.
>>
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>> "study" <study@discussions.microsoft.com> wrote in message
>> news:45687FA1-EA85-45C6-8B6C-492B8CC2D9B9@microsoft.com...
>> > We unfortunately have a firewall (hardware based not the host based)
>> > between
>> > this one client (only one, the others are on our LAN) and our domain
>> > controller.
>> > Outgoing traffic are not blocked on either side.
>> >
>> > We won't modify the registry to use a static port for RPC for some
>> > reason.
>> > And we can't use the VPN.
>> > So on the hardware firewall that's protecting the domain controller (no
>> > host
>> > based firewall) side, we're going to allow all traffic from that one
>> > client
>> > to the domain controller.
>> >
>> > On the client side (on the hardware firewall, there's no host based
>> > firewall
>> > on the client) the usual MS ports are open ex) 135, 137 U, 138 U, 139,
>> > 445.
>> > Do we need to open the dynamic ports on the firewall that's protecting
>> > the
>> > client side 1024:65535 or just by opening all traffic on the domain
>> > controller side as I mentioned above will take care of the traffic?
>> >
>> > Thanks
>>
>>
>>
 
You must log in or register to reply here.

Similar threads

B
  • Article
Announcing Windows 11 Insider Preview Build 25992 (Canary Channel)
Replies
0
Views
77
Brandon LeBlanc
B
D
  • Article
Update on Recall security and privacy architecture
Replies
0
Views
47
David Weston, Vice President Enterprise and OS
D
Y
  • Article
How to prepare for Windows 10 end of support by moving to Windows 11 today
Replies
0
Views
23
Yusuf Mehdi, Executive Vice President, Consumer
Y
J
The Future of Windows Server Hyper-V is Bright!
Replies
0
Views
105
Jeff Woolsey
J
B
How do I connect Windows 10/11 to Mac server
Replies
0
Views
124
Beam Me Up 42
B
Back
Top Bottom