Expert Zone  (Farsi User Guide)
Resource: (Help and Support)


How to configure a firewall for domains and trusts

How to configure a firewall for domains and trusts
Article ID : 179442
Last Review : May 24, 2005
Revision : 8.1
Resource :Microsoft Help and Support

در این صفحه Microsoft شرح داده که چگونه می توان تنظیم کرد Firewall را بر روی Domains و Trusts های

بین آنها .


برای برقراری Domain Trusts  بین Domain ها از طریف Firewall باید Port های زیر Open باشد و این حالت بر روی دو Site که با هم Trust کرده اند

باید یکسان باشد در واقع باید Mirror هم باشند .

بر روی Windows NT همانند جدول ریر باید موارد ذکر شده Port ها بر روی Firewall بصورت Open باشد .

Windows NT

Client Port(s) Server Port Service
1024-65535/TCP 135/TCP RPC *
137/UDP 137/UDP NetBIOS Name
138/UDP 138/UDP NetBIOS Netlogon and Browsing
1024-65535/TCP 139/TCP NetBIOS Session
1024-65535/TCP 42/TCP WINS Replication

Windows Server 2003 and Windows 2000 Server

For a mixed-mode domain with either Windows NT domain controllers or legacy clients or trust relationship between two Windows Server 2003-based or Windows 2000 Server-based domain controllers that are not in the same forest, all of the preceding ports for Windows NT may need to be opened in addition to the following ports:
Client Port(s) Server Port Service
1024-65535/TCP 135/TCP RPC *
1024-65535/TCP/UDP 389/TCP/UDP LDAP
1024-65535/TCP 636/TCP LDAP SSL
1024-65535/TCP 3268/TCP LDAP GC
1024-65535/TCP 3269/TCP LDAP GC SSL
53,1024-65535/TCP/UDP 53/TCP/UDP DNS
1024-65535/TCP/UDP 88/TCP/UDP Kerberos
1024-65535/TCP 445/TCP SMB

در حالت Mixed Mode شما می توانید Trust را بین  Domain Controller های از نوع  NT4 و 2003,2000 بر قرار کنید که در یک Forest نمی باشند .

برای استفاده از Firewall علاوه بر Port های مربوط به جدول NT4 باید

موارد مربوط به جدول Windows 2000,2003 را به آن اضافه کنید بر روی DC ها .

در شکل 1 شما می توانید این پیکربندی را مشاهده کنید بر روی یک 2003 Server .


     Figure 1: Windows Firewall - Exceptions Tab


برای Active Directory در Firewall نباید Rule تعریف کرد که جلوی ترافیک ICMP را بگیرد در نتیجه باید عبور ترافیک ICMP در حالت Allow باشد برای

یک DC. اگر جلوی این ترافیک گرفته شود Client های نمی تواند اطلاعات Group Policy را از DC دریافت کنند .

If you want to minimize ICMP traffic, you can use the following sample firewall rule:
<any> ICMP -> DC IP addr = allow
Unlike the TCP protocol layer and the UDP protocol layer, ICMP does not have a port number. This is because ICMP is directly hosted by the IP layer.

Note There are specific requirements for RPC communication beyond what is listed in this table. For additional information about how to configure RPC communications for a firewall, click the following article number to view the article in the Microsoft Knowledge Base:
154596 ( How to configure RPC dynamic port allocation to work with firewall
By default, Windows Server 2003 and Windows 2000 Server DNS servers use ephemeral client-side ports when they query other DNS servers. However, this behavior may be modified with a specific registry setting that is described in the following article in the Microsoft Knowledge Base:
260186 ( The SendPort DNS registry key does not work as expected

For more information on Active Directory and Firewall configuration, consult the following Microsoft White Paper:
Alternatively, you can establish a trust through the Point-to-Point Tunneling Protocol (PPTP) compulsory tunnel, and this will limit the number of ports that the firewall will need to open. For PPTP, the following ports must be enabled:

Client Ports Server Port Protocol
1024-65535/TCP 1723/TCP PPTP

In addition, you would need to enable IP PROTOCOL 47 (GRE).

Note When you add permissions to a resource on a trusting domain for users in a trusted domain, there are some differences between the Windows 2000 and Windows NT 4.0 behavior. If the computer is not able to bring up a list of the remote domain's users:
Windows NT 4.0 tries to resolve manually-typed names by contacting the PDC for the remote user's domain (UDP 138). If that communication fails, a Windows NT 4.0-based computer contacts its own PDC, and then asks for resolution of the name.
Windows 2000 and Windows Server 2003 also try to contact the remote user's PDC for resolution over UDP 138, but they do not fall back on using their own PDC. Make sure that all Windows 2000-based member servers and Windows Server 2003-based member servers that will be granting access to resources have UDP 138 connectivity to the remote PDC.
Microsoft Windows Server 2003, Standard Edition
Microsoft Windows Server 2003, Enterprise Edition
Microsoft Windows Server 2003, Datacenter Edition
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional Edition
Microsoft Windows NT Server 4.0 Standard Edition
Expert Zone  (Farsi User Guide)

LastUpdate:2006/10/01 - Release:1

How to configure a firewall for domains and trusts