Ports to open for a one-way trust

Discussion in 'Windows Networking' started by =?Utf-8?B?SnVzdGlmaWVkIEdlZWs=?=, Jan 24, 2005.

  1. We are configured in a three tier network.

    The first tier is the demilitarized zone (or DMZ), where machines from the
    internet can access the resources. (This is commonly referred to as the
    exposed network.)

    The second tier (behind a firewall) is the “private net�, which contains
    resources available to the servers in the DMZ network, but the resources are
    not directly available to machines on the internet. Data which resides here,
    or is available through here, would have to be presented by the servers in
    the DMZ to machines on the internet.

    The third tier (behind another firewall) is the subnets in our corporate
    intranet. Machines in the first tier or on the internet are not allowed to
    initiate connections through this firewall, and only specific ports are
    available from specific machines on the second tier to initiate connections.

    The machines on the first and second tiers currently use local
    authentication. The machines on the corporate intranet authenticate to a
    native Windows 2003 Active Directory domain/forest.

    We wish to place a separate Windows 2003 Active Directory domain/forest in
    the first and second tiers (with the domain controllers located in the second
    tier), and establish a one way trust with our corporate forest. This way
    staff authenticated in the corporate domain can be assigned rights to
    resources in the new “internet� domain, and we can reduce the administrative
    overhead of maintaining local security accounts and rights.

    What I need to know is: What is the MINIMUM set of TCP and UDP port
    connections which need to be assigned on the firewall as being allowed to be
    established from the domain controllers in the second tier “private net�
    through the firewall to our corporate intranet domain controllers in order to
    establish and use this one way trust? And, can any of those be closed once
    the trust is established?

    Thank you,


    =?Utf-8?B?SnVzdGlmaWVkIEdlZWs=?=, Jan 24, 2005
    1. Advertisements

  2. See the link below to a great article on how to do this. Pay particular
    attention to the part on "dynamic" RPC and how to configure it and the
    firewall for best security. FYI you may also want to consider using Remote
    Desktop to manage the DMZ computers and you will need to only open port 3389
    TCP in the firewall or depending on your firewall capabilities you may just
    want to create ipsec endpoints to tunnel between the networks. --- Steve

    Steven L Umbach, Jan 24, 2005
    1. Advertisements

  3. That was a great article, (I had read it before), but it addressed full blown

    What I'm looking to do is limit the amount of information kept in the
    "private net" tier’s domain controllers to a minimum, and provide trusted
    Kerberos authentication, without having to unnecessarily constrain (and
    complicate) my internal domain controllers' methods of replication.
    Look at it as if the DMZ forest were an associate’s domain on an “extranet�,
    which wanted to provide us authenticated access to their company’s servers.

    I have yet to come across an article on that specific scenario, and it’s
    implications in regard to the firewall rules.

    Even so, Thank You for the responce, I can see where the information has

    =?Utf-8?B?SnVzdGlmaWVkIEdlZWs=?=, Jan 24, 2005
  4. OK. Based your description of using Windows 2003 domains you probably can
    get away with using RPC, CIFS/445 TCP, LDAP, global catalog LDAP, and
    kerberos. NTP would only be needed if domains are in the same forest. You
    could start with that and then check your firewall logs for dropped traffic
    between domains if problems ensue. I forgot to answer your question about
    closing the firewall after the trust has been established and the answer to
    that is no. --- Steve
    Steven L Umbach, Jan 25, 2005
  5. Thank you Steven, we'll give that a shot.


    P.S. (If anyone has seen a definitive article, from Microsoft or anyone
    else, on setting up one way trust through a firewall, I'd love to read it.)

    (O.K. Maybe, I'm a bit obsessive, but I searched hard, and if I missed it,
    I'd like to figure out why! ;-)
    =?Utf-8?B?SnVzdGlmaWVkIEdlZWs=?=, Jan 25, 2005
  6. OK. Here is the Microsoft KB article you request and I think it jives with
    what I suggested. Note that since you are not using downlevel trusts, the
    netbios/wins related ports should not be needed. It would not matter whether
    the trust is one way or two way as far as firewall rules go. Be sure to take
    dns name resolution in account between the forests. Conditional forwarding
    should work fine between the domains. Good luck. --- Steve

    Steven L Umbach, Jan 25, 2005
  7. Perfect! - You're awesome!

    Now I've got to circle back and find out why I didn't find it with my search
    (I'm supposed to be a professional at finding IT answers - I am humbled in
    your shadow.)

    Thanks again!

    =?Utf-8?B?SnVzdGlmaWVkIEdlZWs=?=, Jan 25, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.