Ports to open for a one-way trust

We are configured in a three tier network.

The first tier is the demilitarized zone (or DMZ), where machines from the
internet can access the resources. (This is commonly referred to as the
exposed network.)

The second tier (behind a firewall) is the “private net�, which contains
resources available to the servers in the DMZ network, but the resources are
not directly available to machines on the internet. Data which resides here,
or is available through here, would have to be presented by the servers in
the DMZ to machines on the internet.

The third tier (behind another firewall) is the subnets in our corporate
intranet. Machines in the first tier or on the internet are not allowed to
initiate connections through this firewall, and only specific ports are
available from specific machines on the second tier to initiate connections.

The machines on the first and second tiers currently use local
authentication. The machines on the corporate intranet authenticate to a
native Windows 2003 Active Directory domain/forest.

We wish to place a separate Windows 2003 Active Directory domain/forest in
the first and second tiers (with the domain controllers located in the second
tier), and establish a one way trust with our corporate forest. This way
staff authenticated in the corporate domain can be assigned rights to
resources in the new “internet� domain, and we can reduce the administrative
overhead of maintaining local security accounts and rights.

What I need to know is: What is the MINIMUM set of TCP and UDP port
connections which need to be assigned on the firewall as being allowed to be
established from the domain controllers in the second tier “private net�
through the firewall to our corporate intranet domain controllers in order to
establish and use this one way trust? And, can any of those be closed once
the trust is established?

--
Thank you,

GLYASDI,

Paul

See the link below to a great article on how to do this. Pay particular
attention to the part on "dynamic" RPC and how to configure it and the
firewall for best security. FYI you may also want to consider using Remote
Desktop to manage the DMZ computers and you will need to only open port 3389
TCP in the firewall or depending on your firewall capabilities you may just
want to create ipsec endpoints to tunnel between the networks. --- Steve

http://www.microsoft.com/serviceprov...sec_P63623.asp

"Justified Geek" <(E-Mail Removed)> wrote in message
news:587EBD3D-CCB6-4A7D-996E-(E-Mail Removed)...
> We are configured in a three tier network.
>
> The first tier is the demilitarized zone (or DMZ), where machines from the
> internet can access the resources. (This is commonly referred to as the
> exposed network.)
>
> The second tier (behind a firewall) is the "private net", which contains
> resources available to the servers in the DMZ network, but the resources
> are
> not directly available to machines on the internet. Data which resides
> here,
> or is available through here, would have to be presented by the servers in
> the DMZ to machines on the internet.
>
> The third tier (behind another firewall) is the subnets in our corporate
> intranet. Machines in the first tier or on the internet are not allowed
> to
> initiate connections through this firewall, and only specific ports are
> available from specific machines on the second tier to initiate
> connections.
>
> The machines on the first and second tiers currently use local
> authentication. The machines on the corporate intranet authenticate to a
> native Windows 2003 Active Directory domain/forest.
>
> We wish to place a separate Windows 2003 Active Directory domain/forest in
> the first and second tiers (with the domain controllers located in the
> second
> tier), and establish a one way trust with our corporate forest. This way
> staff authenticated in the corporate domain can be assigned rights to
> resources in the new "internet" domain, and we can reduce the
> administrative
> overhead of maintaining local security accounts and rights.
>
> What I need to know is: What is the MINIMUM set of TCP and UDP port
> connections which need to be assigned on the firewall as being allowed to
> be
> established from the domain controllers in the second tier "private net"
> through the firewall to our corporate intranet domain controllers in order
> to
> establish and use this one way trust? And, can any of those be closed once
> the trust is established?
>
> --
> Thank you,
>
> GLYASDI,
>
> Paul

That was a great article, (I had read it before), but it addressed full blown
replication...

What I'm looking to do is limit the amount of information kept in the
"private net" tier’s domain controllers to a minimum, and provide trusted
Kerberos authentication, without having to unnecessarily constrain (and
complicate) my internal domain controllers' methods of replication.
Look at it as if the DMZ forest were an associate’s domain on an “extranet�,
which wanted to provide us authenticated access to their company’s servers.

I have yet to come across an article on that specific scenario, and it’s
implications in regard to the firewall rules.


Even so, Thank You for the responce, I can see where the information has
relevance.

Paul

"Steven L Umbach" wrote:

> See the link below to a great article on how to do this. Pay particular
> attention to the part on "dynamic" RPC and how to configure it and the
> firewall for best security. FYI you may also want to consider using Remote
> Desktop to manage the DMZ computers and you will need to only open port 3389
> TCP in the firewall or depending on your firewall capabilities you may just
> want to create ipsec endpoints to tunnel between the networks. --- Steve
>
> http://www.microsoft.com/serviceprov...sec_P63623.asp
>
> "Justified Geek" <(E-Mail Removed)> wrote in message
> news:587EBD3D-CCB6-4A7D-996E-(E-Mail Removed)...
> > We are configured in a three tier network.
> >
> > The first tier is the demilitarized zone (or DMZ), where machines from the
> > internet can access the resources. (This is commonly referred to as the
> > exposed network.)
> >
> > The second tier (behind a firewall) is the "private net", which contains
> > resources available to the servers in the DMZ network, but the resources
> > are
> > not directly available to machines on the internet. Data which resides
> > here,
> > or is available through here, would have to be presented by the servers in
> > the DMZ to machines on the internet.
> >
> > The third tier (behind another firewall) is the subnets in our corporate
> > intranet. Machines in the first tier or on the internet are not allowed
> > to
> > initiate connections through this firewall, and only specific ports are
> > available from specific machines on the second tier to initiate
> > connections.
> >
> > The machines on the first and second tiers currently use local
> > authentication. The machines on the corporate intranet authenticate to a
> > native Windows 2003 Active Directory domain/forest.
> >
> > We wish to place a separate Windows 2003 Active Directory domain/forest in
> > the first and second tiers (with the domain controllers located in the
> > second
> > tier), and establish a one way trust with our corporate forest. This way
> > staff authenticated in the corporate domain can be assigned rights to
> > resources in the new "internet" domain, and we can reduce the
> > administrative
> > overhead of maintaining local security accounts and rights.
> >
> > What I need to know is: What is the MINIMUM set of TCP and UDP port
> > connections which need to be assigned on the firewall as being allowed to
> > be
> > established from the domain controllers in the second tier "private net"
> > through the firewall to our corporate intranet domain controllers in order
> > to
> > establish and use this one way trust? And, can any of those be closed once
> > the trust is established?
> >
> > --
> > Thank you,
> >
> > GLYASDI,
> >
> > Paul
>
>
>

OK. Based your description of using Windows 2003 domains you probably can
get away with using RPC, CIFS/445 TCP, LDAP, global catalog LDAP, and
kerberos. NTP would only be needed if domains are in the same forest. You
could start with that and then check your firewall logs for dropped traffic
between domains if problems ensue. I forgot to answer your question about
closing the firewall after the trust has been established and the answer to
that is no. --- Steve


"Justified Geek" <(E-Mail Removed)> wrote in message
news:111ED222-81B6-435F-B329-(E-Mail Removed)...
> That was a great article, (I had read it before), but it addressed full
> blown
> replication...
>
> What I'm looking to do is limit the amount of information kept in the
> "private net" tier's domain controllers to a minimum, and provide trusted
> Kerberos authentication, without having to unnecessarily constrain (and
> complicate) my internal domain controllers' methods of replication.
> Look at it as if the DMZ forest were an associate's domain on an
> "extranet",
> which wanted to provide us authenticated access to their company's
> servers.
>
> I have yet to come across an article on that specific scenario, and it's
> implications in regard to the firewall rules.
>
>
> Even so, Thank You for the responce, I can see where the information has
> relevance.
>
> Paul
>
> "Steven L Umbach" wrote:
>
>> See the link below to a great article on how to do this. Pay particular
>> attention to the part on "dynamic" RPC and how to configure it and the
>> firewall for best security. FYI you may also want to consider using
>> Remote
>> Desktop to manage the DMZ computers and you will need to only open port
>> 3389
>> TCP in the firewall or depending on your firewall capabilities you may
>> just
>> want to create ipsec endpoints to tunnel between the networks. --- Steve
>>
>> http://www.microsoft.com/serviceprov...sec_P63623.asp
>>
>> "Justified Geek" <(E-Mail Removed)> wrote in
>> message
>> news:587EBD3D-CCB6-4A7D-996E-(E-Mail Removed)...
>> > We are configured in a three tier network.
>> >
>> > The first tier is the demilitarized zone (or DMZ), where machines from
>> > the
>> > internet can access the resources. (This is commonly referred to as the
>> > exposed network.)
>> >
>> > The second tier (behind a firewall) is the "private net", which
>> > contains
>> > resources available to the servers in the DMZ network, but the
>> > resources
>> > are
>> > not directly available to machines on the internet. Data which resides
>> > here,
>> > or is available through here, would have to be presented by the servers
>> > in
>> > the DMZ to machines on the internet.
>> >
>> > The third tier (behind another firewall) is the subnets in our
>> > corporate
>> > intranet. Machines in the first tier or on the internet are not
>> > allowed
>> > to
>> > initiate connections through this firewall, and only specific ports are
>> > available from specific machines on the second tier to initiate
>> > connections.
>> >
>> > The machines on the first and second tiers currently use local
>> > authentication. The machines on the corporate intranet authenticate to
>> > a
>> > native Windows 2003 Active Directory domain/forest.
>> >
>> > We wish to place a separate Windows 2003 Active Directory domain/forest
>> > in
>> > the first and second tiers (with the domain controllers located in the
>> > second
>> > tier), and establish a one way trust with our corporate forest. This
>> > way
>> > staff authenticated in the corporate domain can be assigned rights to
>> > resources in the new "internet" domain, and we can reduce the
>> > administrative
>> > overhead of maintaining local security accounts and rights.
>> >
>> > What I need to know is: What is the MINIMUM set of TCP and UDP port
>> > connections which need to be assigned on the firewall as being allowed
>> > to
>> > be
>> > established from the domain controllers in the second tier "private
>> > net"
>> > through the firewall to our corporate intranet domain controllers in
>> > order
>> > to
>> > establish and use this one way trust? And, can any of those be closed
>> > once
>> > the trust is established?
>> >
>> > --
>> > Thank you,
>> >
>> > GLYASDI,
>> >
>> > Paul
>>
>>
>>

Thank you Steven, we'll give that a shot.

Paul

P.S. (If anyone has seen a definitive article, from Microsoft or anyone
else, on setting up one way trust through a firewall, I'd love to read it.)

(O.K. Maybe, I'm a bit obsessive, but I searched hard, and if I missed it,
I'd like to figure out why! ;-)


"Steven L Umbach" wrote:

> OK. Based your description of using Windows 2003 domains you probably can
> get away with using RPC, CIFS/445 TCP, LDAP, global catalog LDAP, and
> kerberos. NTP would only be needed if domains are in the same forest. You
> could start with that and then check your firewall logs for dropped traffic
> between domains if problems ensue. I forgot to answer your question about
> closing the firewall after the trust has been established and the answer to
> that is no. --- Steve
>
>
> "Justified Geek" <(E-Mail Removed)> wrote in message
> news:111ED222-81B6-435F-B329-(E-Mail Removed)...
> > That was a great article, (I had read it before), but it addressed full
> > blown
> > replication...
> >
> > What I'm looking to do is limit the amount of information kept in the
> > "private net" tier's domain controllers to a minimum, and provide trusted
> > Kerberos authentication, without having to unnecessarily constrain (and
> > complicate) my internal domain controllers' methods of replication.
> > Look at it as if the DMZ forest were an associate's domain on an
> > "extranet",
> > which wanted to provide us authenticated access to their company's
> > servers.
> >
> > I have yet to come across an article on that specific scenario, and it's
> > implications in regard to the firewall rules.
> >
> >
> > Even so, Thank You for the responce, I can see where the information has
> > relevance.
> >
> > Paul
> >
> > "Steven L Umbach" wrote:
> >
> >> See the link below to a great article on how to do this. Pay particular
> >> attention to the part on "dynamic" RPC and how to configure it and the
> >> firewall for best security. FYI you may also want to consider using
> >> Remote
> >> Desktop to manage the DMZ computers and you will need to only open port
> >> 3389
> >> TCP in the firewall or depending on your firewall capabilities you may
> >> just
> >> want to create ipsec endpoints to tunnel between the networks. --- Steve
> >>
> >> http://www.microsoft.com/serviceprov...sec_P63623.asp
> >>
> >> "Justified Geek" <(E-Mail Removed)> wrote in
> >> message
> >> news:587EBD3D-CCB6-4A7D-996E-(E-Mail Removed)...
> >> > We are configured in a three tier network.
> >> >
> >> > The first tier is the demilitarized zone (or DMZ), where machines from
> >> > the
> >> > internet can access the resources. (This is commonly referred to as the
> >> > exposed network.)
> >> >
> >> > The second tier (behind a firewall) is the "private net", which
> >> > contains
> >> > resources available to the servers in the DMZ network, but the
> >> > resources
> >> > are
> >> > not directly available to machines on the internet. Data which resides
> >> > here,
> >> > or is available through here, would have to be presented by the servers
> >> > in
> >> > the DMZ to machines on the internet.
> >> >
> >> > The third tier (behind another firewall) is the subnets in our
> >> > corporate
> >> > intranet. Machines in the first tier or on the internet are not
> >> > allowed
> >> > to
> >> > initiate connections through this firewall, and only specific ports are
> >> > available from specific machines on the second tier to initiate
> >> > connections.
> >> >
> >> > The machines on the first and second tiers currently use local
> >> > authentication. The machines on the corporate intranet authenticate to
> >> > a
> >> > native Windows 2003 Active Directory domain/forest.
> >> >
> >> > We wish to place a separate Windows 2003 Active Directory domain/forest
> >> > in
> >> > the first and second tiers (with the domain controllers located in the
> >> > second
> >> > tier), and establish a one way trust with our corporate forest. This
> >> > way
> >> > staff authenticated in the corporate domain can be assigned rights to
> >> > resources in the new "internet" domain, and we can reduce the
> >> > administrative
> >> > overhead of maintaining local security accounts and rights.
> >> >
> >> > What I need to know is: What is the MINIMUM set of TCP and UDP port
> >> > connections which need to be assigned on the firewall as being allowed
> >> > to
> >> > be
> >> > established from the domain controllers in the second tier "private
> >> > net"
> >> > through the firewall to our corporate intranet domain controllers in
> >> > order
> >> > to
> >> > establish and use this one way trust? And, can any of those be closed
> >> > once
> >> > the trust is established?
> >> >
> >> > --
> >> > Thank you,
> >> >
> >> > GLYASDI,
> >> >
> >> > Paul
> >>
> >>
> >>
>
>
>

OK. Here is the Microsoft KB article you request and I think it jives with
what I suggested. Note that since you are not using downlevel trusts, the
netbios/wins related ports should not be needed. It would not matter whether
the trust is one way or two way as far as firewall rules go. Be sure to take
dns name resolution in account between the forests. Conditional forwarding
should work fine between the domains. Good luck. --- Steve

http://support.microsoft.com/default...en-us%3B179442

"Justified Geek" <(E-Mail Removed)> wrote in message
news:41F0CFA3-476F-4F89-9F38-(E-Mail Removed)...
> Thank you Steven, we'll give that a shot.
>
> Paul
>
> P.S. (If anyone has seen a definitive article, from Microsoft or anyone
> else, on setting up one way trust through a firewall, I'd love to read
> it.)
>
> (O.K. Maybe, I'm a bit obsessive, but I searched hard, and if I missed it,
> I'd like to figure out why! ;-)
>
>
> "Steven L Umbach" wrote:
>
>> OK. Based your description of using Windows 2003 domains you probably can
>> get away with using RPC, CIFS/445 TCP, LDAP, global catalog LDAP, and
>> kerberos. NTP would only be needed if domains are in the same forest. You
>> could start with that and then check your firewall logs for dropped
>> traffic
>> between domains if problems ensue. I forgot to answer your question about
>> closing the firewall after the trust has been established and the answer
>> to
>> that is no. --- Steve
>>
>>
>> "Justified Geek" <(E-Mail Removed)> wrote in
>> message
>> news:111ED222-81B6-435F-B329-(E-Mail Removed)...
>> > That was a great article, (I had read it before), but it addressed full
>> > blown
>> > replication...
>> >
>> > What I'm looking to do is limit the amount of information kept in the
>> > "private net" tier's domain controllers to a minimum, and provide
>> > trusted
>> > Kerberos authentication, without having to unnecessarily constrain (and
>> > complicate) my internal domain controllers' methods of replication.
>> > Look at it as if the DMZ forest were an associate's domain on an
>> > "extranet",
>> > which wanted to provide us authenticated access to their company's
>> > servers.
>> >
>> > I have yet to come across an article on that specific scenario, and
>> > it's
>> > implications in regard to the firewall rules.
>> >
>> >
>> > Even so, Thank You for the responce, I can see where the information
>> > has
>> > relevance.
>> >
>> > Paul
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> See the link below to a great article on how to do this. Pay
>> >> particular
>> >> attention to the part on "dynamic" RPC and how to configure it and the
>> >> firewall for best security. FYI you may also want to consider using
>> >> Remote
>> >> Desktop to manage the DMZ computers and you will need to only open
>> >> port
>> >> 3389
>> >> TCP in the firewall or depending on your firewall capabilities you may
>> >> just
>> >> want to create ipsec endpoints to tunnel between the networks. ---
>> >> Steve
>> >>
>> >> http://www.microsoft.com/serviceprov...sec_P63623.asp
>> >>
>> >> "Justified Geek" <(E-Mail Removed)> wrote in
>> >> message
>> >> news:587EBD3D-CCB6-4A7D-996E-(E-Mail Removed)...
>> >> > We are configured in a three tier network.
>> >> >
>> >> > The first tier is the demilitarized zone (or DMZ), where machines
>> >> > from
>> >> > the
>> >> > internet can access the resources. (This is commonly referred to as
>> >> > the
>> >> > exposed network.)
>> >> >
>> >> > The second tier (behind a firewall) is the "private net", which
>> >> > contains
>> >> > resources available to the servers in the DMZ network, but the
>> >> > resources
>> >> > are
>> >> > not directly available to machines on the internet. Data which
>> >> > resides
>> >> > here,
>> >> > or is available through here, would have to be presented by the
>> >> > servers
>> >> > in
>> >> > the DMZ to machines on the internet.
>> >> >
>> >> > The third tier (behind another firewall) is the subnets in our
>> >> > corporate
>> >> > intranet. Machines in the first tier or on the internet are not
>> >> > allowed
>> >> > to
>> >> > initiate connections through this firewall, and only specific ports
>> >> > are
>> >> > available from specific machines on the second tier to initiate
>> >> > connections.
>> >> >
>> >> > The machines on the first and second tiers currently use local
>> >> > authentication. The machines on the corporate intranet authenticate
>> >> > to
>> >> > a
>> >> > native Windows 2003 Active Directory domain/forest.
>> >> >
>> >> > We wish to place a separate Windows 2003 Active Directory
>> >> > domain/forest
>> >> > in
>> >> > the first and second tiers (with the domain controllers located in
>> >> > the
>> >> > second
>> >> > tier), and establish a one way trust with our corporate forest.
>> >> > This
>> >> > way
>> >> > staff authenticated in the corporate domain can be assigned rights
>> >> > to
>> >> > resources in the new "internet" domain, and we can reduce the
>> >> > administrative
>> >> > overhead of maintaining local security accounts and rights.
>> >> >
>> >> > What I need to know is: What is the MINIMUM set of TCP and UDP port
>> >> > connections which need to be assigned on the firewall as being
>> >> > allowed
>> >> > to
>> >> > be
>> >> > established from the domain controllers in the second tier "private
>> >> > net"
>> >> > through the firewall to our corporate intranet domain controllers in
>> >> > order
>> >> > to
>> >> > establish and use this one way trust? And, can any of those be
>> >> > closed
>> >> > once
>> >> > the trust is established?
>> >> >
>> >> > --
>> >> > Thank you,
>> >> >
>> >> > GLYASDI,
>> >> >
>> >> > Paul
>> >>
>> >>
>> >>
>>
>>
>>

Perfect! - You're awesome!

Now I've got to circle back and find out why I didn't find it with my search
methods.
(I'm supposed to be a professional at finding IT answers - I am humbled in
your shadow.)

Thanks again!

Paul



"Steven L Umbach" wrote:

> OK. Here is the Microsoft KB article you request and I think it jives with
> what I suggested. Note that since you are not using downlevel trusts, the
> netbios/wins related ports should not be needed. It would not matter whether
> the trust is one way or two way as far as firewall rules go. Be sure to take
> dns name resolution in account between the forests. Conditional forwarding
> should work fine between the domains. Good luck. --- Steve
>
> http://support.microsoft.com/default...en-us%3B179442
>
> "Justified Geek" <(E-Mail Removed)> wrote in message
> news:41F0CFA3-476F-4F89-9F38-(E-Mail Removed)...
> > Thank you Steven, we'll give that a shot.
> >
> > Paul
> >
> > P.S. (If anyone has seen a definitive article, from Microsoft or anyone
> > else, on setting up one way trust through a firewall, I'd love to read
> > it.)
> >
> > (O.K. Maybe, I'm a bit obsessive, but I searched hard, and if I missed it,
> > I'd like to figure out why! ;-)
> >
> >
> > "Steven L Umbach" wrote:
> >
> >> OK. Based your description of using Windows 2003 domains you probably can
> >> get away with using RPC, CIFS/445 TCP, LDAP, global catalog LDAP, and
> >> kerberos. NTP would only be needed if domains are in the same forest. You
> >> could start with that and then check your firewall logs for dropped
> >> traffic
> >> between domains if problems ensue. I forgot to answer your question about
> >> closing the firewall after the trust has been established and the answer
> >> to
> >> that is no. --- Steve
> >>
> >>
> >> "Justified Geek" <(E-Mail Removed)> wrote in
> >> message
> >> news:111ED222-81B6-435F-B329-(E-Mail Removed)...
> >> > That was a great article, (I had read it before), but it addressed full
> >> > blown
> >> > replication...
> >> >
> >> > What I'm looking to do is limit the amount of information kept in the
> >> > "private net" tier's domain controllers to a minimum, and provide
> >> > trusted
> >> > Kerberos authentication, without having to unnecessarily constrain (and
> >> > complicate) my internal domain controllers' methods of replication.
> >> > Look at it as if the DMZ forest were an associate's domain on an
> >> > "extranet",
> >> > which wanted to provide us authenticated access to their company's
> >> > servers.
> >> >
> >> > I have yet to come across an article on that specific scenario, and
> >> > it's
> >> > implications in regard to the firewall rules.
> >> >
> >> >
> >> > Even so, Thank You for the responce, I can see where the information
> >> > has
> >> > relevance.
> >> >
> >> > Paul
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> See the link below to a great article on how to do this. Pay
> >> >> particular
> >> >> attention to the part on "dynamic" RPC and how to configure it and the
> >> >> firewall for best security. FYI you may also want to consider using
> >> >> Remote
> >> >> Desktop to manage the DMZ computers and you will need to only open
> >> >> port
> >> >> 3389
> >> >> TCP in the firewall or depending on your firewall capabilities you may
> >> >> just
> >> >> want to create ipsec endpoints to tunnel between the networks. ---
> >> >> Steve
> >> >>
> >> >> http://www.microsoft.com/serviceprov...sec_P63623.asp
> >> >>
> >> >> "Justified Geek" <(E-Mail Removed)> wrote in
> >> >> message
> >> >> news:587EBD3D-CCB6-4A7D-996E-(E-Mail Removed)...
> >> >> > We are configured in a three tier network.
> >> >> >
> >> >> > The first tier is the demilitarized zone (or DMZ), where machines
> >> >> > from
> >> >> > the
> >> >> > internet can access the resources. (This is commonly referred to as
> >> >> > the
> >> >> > exposed network.)
> >> >> >
> >> >> > The second tier (behind a firewall) is the "private net", which
> >> >> > contains
> >> >> > resources available to the servers in the DMZ network, but the
> >> >> > resources
> >> >> > are
> >> >> > not directly available to machines on the internet. Data which
> >> >> > resides
> >> >> > here,
> >> >> > or is available through here, would have to be presented by the
> >> >> > servers
> >> >> > in
> >> >> > the DMZ to machines on the internet.
> >> >> >
> >> >> > The third tier (behind another firewall) is the subnets in our
> >> >> > corporate
> >> >> > intranet. Machines in the first tier or on the internet are not
> >> >> > allowed
> >> >> > to
> >> >> > initiate connections through this firewall, and only specific ports
> >> >> > are
> >> >> > available from specific machines on the second tier to initiate
> >> >> > connections.
> >> >> >
> >> >> > The machines on the first and second tiers currently use local
> >> >> > authentication. The machines on the corporate intranet authenticate
> >> >> > to
> >> >> > a
> >> >> > native Windows 2003 Active Directory domain/forest.
> >> >> >
> >> >> > We wish to place a separate Windows 2003 Active Directory
> >> >> > domain/forest
> >> >> > in
> >> >> > the first and second tiers (with the domain controllers located in
> >> >> > the
> >> >> > second
> >> >> > tier), and establish a one way trust with our corporate forest.
> >> >> > This
> >> >> > way
> >> >> > staff authenticated in the corporate domain can be assigned rights
> >> >> > to
> >> >> > resources in the new "internet" domain, and we can reduce the
> >> >> > administrative
> >> >> > overhead of maintaining local security accounts and rights.
> >> >> >
> >> >> > What I need to know is: What is the MINIMUM set of TCP and UDP port
> >> >> > connections which need to be assigned on the firewall as being
> >> >> > allowed
> >> >> > to
> >> >> > be
> >> >> > established from the domain controllers in the second tier "private
> >> >> > net"
> >> >> > through the firewall to our corporate intranet domain controllers in
> >> >> > order
> >> >> > to
> >> >> > establish and use this one way trust? And, can any of those be
> >> >> > closed
> >> >> > once
> >> >> > the trust is established?
> >> >> >
> >> >> > --
> >> >> > Thank you,
> >> >> >
> >> >> > GLYASDI,
> >> >> >
> >> >> > Paul
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>