Computers outside firewall can't reach DC
We have a small network consisting of two Win2000 domain controllers and workstations (different locations). Due to massive intrusion attacks, we have put DCs and some of our workstations behind a firewall (NETgear FR328). The problem is that the domain member computers that are not behind the firewall don't reach the DC. According to this article
, we could either open a number of ports on the firewall, or, alternatively, use Point to Point Tunneling Protocol (PPTP) and GRE 47 protocol. What is your suggestion? How do you use PPTP and GRE in this context?
The article states the simple version of the answer: Open the ports, or create a VPN and tunnel it through the firewall. However, it doesn't give the details. The issue, as you know, is that in order for Windows 2000 domain controllers to communicate with clients (log on, obtain tickets for access to resources, update computer password) several different protocols must be used, including Microsoft DS traffic over ports 445/TCP and 445/UDP (NetBIOS over TCP/IP; if some clients cannot use this protocol, then the older NetBIOS ports must be open as well), Kerberos authentication protocol (port 88 TCP/ 88/UDP), Lightweight Directory Access Protocol (LDAP) ping (389/UDP) and DNS (53/TCP, 53/UDP). If you have clients on one side of a firewall and domain controllers on the other, these ports must be open.
The alternative, as you mentioned, is to encapsulate domain authentication traffic by using a virtual private network. Either PPTP or IPsec/L2TP VPNs can be used. For this option, you will need to open the ports for the VPN protocol you choose.
So what you need now is information about your specific firewall and how to open the necessary ports, and specific info, should you choose to go that route, on creating Windows 2000 VPNs. An excellent article on this issue and how to deal with it is Active Directory in Networks Segmented by Firewalls. The white paper discusses the ports necessary, offers information on selecting a VPN protocol and setting things up and has links to other VPN resources. In addition, should you later decide that hosting a DC at a remote site is part of your plan, it details the issues of doing DC replication over firewalls.
This was first published in August 2003