Wednesday, 18 February 2009

Resource Guide for Microsoft Active Directory Communications and ISA Server Firewalls

Based upon my work with ISA Server for various implementations, I often have to create firewall policies that permit Active Directory communications to traverse different ISA Server networks.

I thought it would be useful to try and create a quick blog entry that captures some of the key information in order to provide a basic resource guide. This mainly includes the necessary protocol sets that are required for the two most common types of Active Directory communication, namely:

  • Domain Member Communications (From Domain Members to Domain Controllers)
  • Domain Controller Replication Communications (From Domain Controllers to Domain Controllers)

Please Note: For information on Active Directory communications when using forest trusts, please see my previous blog entry called Using ISA Server 2006 to Protect Active Directory One-Way Forest Trusts.

So, considering the first scenario:

Domain Member Communications – Required Protocols

  • DNS (53/tcp and 53/udp)
  • Kerberos-Adm (UDP) (749/udp)
  • Kerberos-Sec (TCP) (88/tcp)
  • Kerberos-Sec (UDP) (88/udp)
  • LDAP (389/tcp)
  • LDAP UDP (389/udp)
  • LDAP GC (Global Catalog) (3268/tcp)
  • Microsoft CIFS (TCP) (445/tcp)
  • Microsoft CIFS (UDP) (445/udp)
  • NTP (UDP) (123/udp)
  • PING (ICMP Type 8)
  • RPC (all interfaces) (135/tcp)

and the second scenario:

Domain Controller Replication Communications – Required Protocols

  • DNS (53/tcp and 53/udp)
  • Kerberos-Sec (TCP) (88/tcp)
  • Kerberos-Sec (UDP) (88/udp)
  • LDAP (389/tcp)
  • LDAP (UDP) (389/udp)
  • LDAPS (636/tcp)
  • LDAP GC (Global Catalog) (3268/tcp)
  • LDAPS GC (Global Catalog) (3269/tcp)
  • Microsoft CIFS (TCP) (445/tcp)
  • Microsoft CIFS (UDP) (445/udp)
  • NetBios Datagram (138/udp)
  • NetBios Name Service (137/udp)
  • NetBios Session (139/tcp)
  • NTP (UDP) (123/udp)
  • PING (ICMP Type 8)
  • RPC (all interfaces) (135/tcp)

Please Note: The protocol names defined above are based upon the default display names used in ISA Server, and they may be different for other firewalls. Respective udp/tcp ports are therefore provided in brackets for clarity.

Due to the default behaviour of the ISA Server RPC filter, you can simply use the in-built RPC (all interfaces) protocol and ISA Server will automatically handle the dynamic nature of the RPC protocol and RPC endpoint mapper requests. However, if you are using other firewalls, you many need to replace the RPC (All interfaces protocol with the following two protocols:

  • RPC Endpoint Mapper (135/tcp)
  • RPC Dynamic Ports (1024-65535/tcp)

Please Note: Alternatively, you may wish to define static port ranges for RPC, as discussed in the follow Microsoft knowledgebase article How to configure RPC dynamic port allocation to work with firewalls.

I have read that it is possible to remove some of the above “less desirable” protocols, Ping/ICMP for example. However, in my experience this can often lead to adverse effects in terms of performance; whereby delays can occur with authentication and Active Directory user/group/computer enumeration. I believe this is due to some form of protocol fallback where you have to wait for a denied protocol (Ping/ICMP for example) to timeout before an alternative protocol (LDAP Ping for example) is tried instead. Hence overall functionality is not impaired, but it is necessary to wait for timeouts to occur, which is not ideal unless absolutely necessary.

Finally, it is recommended to use route-based network relationships between all ISA networks that involve Active Directory communications, as this negates potential issues that can occur when using Network Address Translation (NAT).

A list of appropriate references is provided below for further bedtime reading :)

Active Directory focused:

How to configure a firewall for domains and trusts

Active Directory in Networks Segmented by Firewalls

Active Directory Replication over Firewalls

Domain and Forest Trust Tools and Settings

Service overview and network port requirements for the Windows Server system

Restricting Active Directory replication traffic and client RPC traffic to a specific port

Windows 2000 Resource Kit Tool: Rpccfg.exe (RPC Configuration Tool)

ISA Server focused:

Segmenting Networks with ISA 2004 – Filtering access to Domain Controllers

Allowing Intradomain Communications through the ISA Firewall (2004)

Using ISA Server 2006 to Protect Active Directory One-Way Forest Trusts

So, not exactly ground-breaking information, but hopefully handy for those looking for a concise list of Active Directory related protocols (with associated references) when defining ISA Server firewall policies.

3 comments:

  1. Hi Jason,

    very nice and such a very useful blog post!! :)

    Keep the good job!

    Regards,
    Paulo Oliveira.

    ReplyDelete
  2. >> Paulo

    Thanks, I hoped so...

    If nothing else, it's a good reminder for my own use ;)

    Cheers

    JJ

    ReplyDelete
  3. for my own use too :)

    Thanks,
    Adrian

    ReplyDelete