2

We have a site-to-site VPN connection between our main office and our production web servers at our collocation using two SonicWall devices. By default, the VPN tunnel allows all traffic between the two sites. I want to restrict this so that we block all INCOMING traffic from the collocation to the office, that way our private network is more protected in the event that our production servers are compromised.

A problem that I'm seeing, though, is that our servers that we have joined to the domain still need to be able to contact the DC in our office for group policy, ldap information, etc.. After a bit of poking around for all the services and ports used by AD, I found that the RPC service uses random ports, which makes it difficult to punch a hole in the firewall to make it work. I found this kb article which describes how to change it to a specific port on all of your domain controllers, which would then allow me to open up a single port on the firewall. What this article doesn't go over is the downsides of doing so. I imagine they have the ports randomized for a reason .. and taking that away is removing whatever benefit that it provides.

What would I be losing by switching this to a specific port? The instructions have me edit the registry on all my DCs, which I would love to avoid. Also, would this be a good case in which we would benefit from having an RODC at our collo site?

Safado
  • 4,786
  • 7
  • 37
  • 54

2 Answers2

4

I just want to clarify that out of the box, Windows Server 2003 has a dynamic port range of 1025-5000 and not 1024-65535. With a hotfix, Windows Server 2003 gets the IANA standard of 49152-65535, which Windows Server 2008 and newer have out of the box.

For sources, see the MS support page below, and the Wikipedia article (and the sources it quotes).

Service overview and network port requirements for Windows http://support.microsoft.com/kb/832017

Ephemeral ports https://en.wikipedia.org/wiki/Ephemeral_port

greycloud
  • 41
  • 2
0

My experience has been that many organizations create access rules for the specific application low ports (such as 389, 88, etc), and a "high ports" firewall rule. For Windows Server 2003, the high ports was 1024 - 65535. That was obviously not a very good number, so for Windows Server 2008 this was reduced in scope to 49152 - 65535.

A more secure solution is to use the IPSec Tunnel approach. A lot of US government agencies use IPSec when communicating between trusted domains or a forest root.

The various pros and cons are described in detail in the following article. Limiting RPC needs to be implemented on all domain controllers, so it isn't something you can just turn up on one and see how it works. Implementing this in a large organization with a lot of DC's and sites can require a lot of planning.

Active Directory Replication Over Firewalls
https://social.technet.microsoft.com/wiki/contents/articles/active-directory-replication-over-firewalls.aspx

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • I didn't know that they had the smaller group for server 2008. I've opened up all the required ports including the range of random ports for RPC and it appears as though everything is working as expected. – Safado Feb 28 '12 at 17:52