|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
RPC high portsi have 3 DCs between 2 firewalls over 2 sites. On the other site is my DR site, where no clients, only 1 DC as D.R(standby). so basically this server only requires AD replication. i understand RPC dynamic high ports is being used by Endpoint Portmapper(port 135). i'm opening a range of high ports on all my DCs, 5000-5050. the rule is: If Y, the processes using the default will be assigned ports from the set of Internet-available ports, as defined previously. If N, the processes using the default will be assigned ports from the set of intranet-only ports. Example: 1. Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc 2. Under the Internet key, add the values "Ports" (MULTI_SZ), "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ). In this example, use ports 5000 through 5050 inclusive, so the new registry key appears as follows: Ports: REG_MULTI_SZ: 5000-5100 PortsInternetAvailable: REG_SZ: Y UseInternetPorts: REG_SZ: Y My question is: can i specific them as 'N' (No) ?? I'm thinking will it be more secure? Because i do not have clients from internet access to my DCs. Does it mean if 'Y' (Yes), my ports is ready to expose to internet? (provide my firewall allow those port). I have fixed a port for NTDS and NTfrs. im grateful whoever can give me some light. regards, steve Check out my website on AD Firewall Replication under articles. It should
completely guide you on this endeavor. -- Show quoteHide quotePaul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA http://www.pbbergs.com This posting is provided "AS IS" with no warranties, and confers no rights. "steve" <st***@discussions.microsoft.com> wrote in message news:944FAC83-0AD2-45D0-B8B8-A70AD5CC2259@microsoft.com... > Hi, > > i have 3 DCs between 2 firewalls over 2 sites. On the other site is my DR > site, where no clients, only 1 DC as D.R(standby). so basically this > server > only requires AD replication. i understand RPC dynamic high ports is being > used by Endpoint Portmapper(port 135). > > i'm opening a range of high ports on all my DCs, 5000-5050. the rule is: > > If Y, the processes using the default will be assigned ports from the set > of > Internet-available ports, as defined previously. > If N, the processes using the default will be assigned ports from the set > of > intranet-only ports. > Example: 1. Add the Internet key under: > HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc > 2. Under the Internet key, add the values "Ports" (MULTI_SZ), > "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ). > > In this example, use ports 5000 through 5050 inclusive, so the new > registry > key appears as follows: > Ports: REG_MULTI_SZ: 5000-5100 > PortsInternetAvailable: REG_SZ: Y > UseInternetPorts: REG_SZ: Y > > My question is: can i specific them as 'N' (No) ?? I'm thinking will it be > more secure? Because i do not have clients from internet access to my DCs. > Does it mean if 'Y' (Yes), my ports is ready to expose to internet? > (provide > my firewall allow those port). > > I have fixed a port for NTDS and NTfrs. > > im grateful whoever can give me some light. > > regards, > steve > Hi Paul,
i have fixed the NTfrs and Ntds ports. so do i still need to open the high ports like 5001-5100 on all DCs? thanks steve Show quoteHide quote "Paul Bergson" wrote: > Check out my website on AD Firewall Replication under articles. It should > completely guide you on this endeavor. > > > > -- > > Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA > http://www.pbbergs.com > > This posting is provided "AS IS" with no warranties, and confers no rights. > > "steve" <st***@discussions.microsoft.com> wrote in message > news:944FAC83-0AD2-45D0-B8B8-A70AD5CC2259@microsoft.com... > > Hi, > > > > i have 3 DCs between 2 firewalls over 2 sites. On the other site is my DR > > site, where no clients, only 1 DC as D.R(standby). so basically this > > server > > only requires AD replication. i understand RPC dynamic high ports is being > > used by Endpoint Portmapper(port 135). > > > > i'm opening a range of high ports on all my DCs, 5000-5050. the rule is: > > > > If Y, the processes using the default will be assigned ports from the set > > of > > Internet-available ports, as defined previously. > > If N, the processes using the default will be assigned ports from the set > > of > > intranet-only ports. > > Example: 1. Add the Internet key under: > > HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc > > 2. Under the Internet key, add the values "Ports" (MULTI_SZ), > > "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ). > > > > In this example, use ports 5000 through 5050 inclusive, so the new > > registry > > key appears as follows: > > Ports: REG_MULTI_SZ: 5000-5100 > > PortsInternetAvailable: REG_SZ: Y > > UseInternetPorts: REG_SZ: Y > > > > My question is: can i specific them as 'N' (No) ?? I'm thinking will it be > > more secure? Because i do not have clients from internet access to my DCs. > > Does it mean if 'Y' (Yes), my ports is ready to expose to internet? > > (provide > > my firewall allow those port). > > > > I have fixed a port for NTDS and NTfrs. > > > > im grateful whoever can give me some light. > > > > regards, > > steve > > > > > If you have fixed the ports for FRS and NTDS and don't wish to allow
anything else, you should only open the ports within the fixed range. Opening the others will allow other RPC traffic through. -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net Hi,
Sorry, i still confused, Whether needed to open high ports or not? How about GPO applying? i guess they use RPC high ports too, if so, so is the range for high is needed to create on all DCs? This DC in DR site only do AD replication and data replication over to HQ via firewall. thanks in advance. steve Show quoteHide quote "Paul Williams [MVP]" wrote: > If you have fixed the ports for FRS and NTDS and don't wish to allow > anything else, you should only open the ports within the fixed range. > Opening the others will allow other RPC traffic through. > > -- > Paul Williams > Microsoft MVP - Windows Server - Directory Services > http://www.msresource.net | http://forums.msresource.net > > > The only ports needed are as defined. Just 5000-5100.
-- Show quoteHide quotePaul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA http://www.pbbergs.com This posting is provided "AS IS" with no warranties, and confers no rights. "steve" <st***@discussions.microsoft.com> wrote in message news:443D28E1-A10E-4609-A8C4-3B03FAC27D3B@microsoft.com... > Hi, > > Sorry, i still confused, Whether needed to open high ports or not? How > about > GPO applying? i guess they use RPC high ports too, if so, so is the range > for > high is needed to create on all DCs? This DC in DR site only do AD > replication and data replication over to HQ via firewall. > thanks in advance. > > > steve > > > "Paul Williams [MVP]" wrote: > >> If you have fixed the ports for FRS and NTDS and don't wish to allow >> anything else, you should only open the ports within the fixed range. >> Opening the others will allow other RPC traffic through. >> >> -- >> Paul Williams >> Microsoft MVP - Windows Server - Directory Services >> http://www.msresource.net | http://forums.msresource.net >> >> >> |
|||||||||||||||||||||||
Other interesting topics