DOCUMENT:Q179442 23-APR-2002 [winnt] TITLE :How to Configure a Firewall for Domains and Trusts PRODUCT :Microsoft Windows NT PROD/VER::2000,4.0 OPER/SYS: KEYWORDS:kbenv kbnetwork kbtool ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 4.0 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Server - Microsoft Windows 2000 Advanced Server ------------------------------------------------------------------------------- SUMMARY ======= This article describes how to configure a firewall for domains and trusts. MORE INFORMATION ================ To establish a domain trust or secure channel across a firewall, the following ports must be opened. Note that there may be hosts functioning with both client and server roles on both sides of the firewall. Because of this, ports rules may need to be mirrored. Windows NT ---------- +--------------------------------------------------------------+ | Client Port(s) | Server Port | Service | +--------------------------------------------------------------+ | 1024-65535/TCP | 135/TCP | RPC * | +--------------------------------------------------------------+ | 137/UDP | 137/UDP | NetBIOS Name | +--------------------------------------------------------------+ | 138/UDP | 138/UDP | NetBIOS Netlogon and Browsing | +--------------------------------------------------------------+ | 1024-65535/TCP | 139/TCP | NetBIOS Session | +--------------------------------------------------------------+ | 1024-65535/TCP | 42/TCP | WINS Replication | +--------------------------------------------------------------+ Windows 2000 ------------ For a mixed-mode domain with either Windows NT domain controllers or legacy clients or trust relationship between two windows 2000 domain controllers which are not in the same forest, all of the preceding ports for Windows NT may need to be opened in addition to the following ports: +---------------------------------------------------+ | Client Port(s) | Server Port | Service | +---------------------------------------------------+ | 1024-65535/TCP | 135/TCP | RPC * | +---------------------------------------------------+ | 1024-65535/TCP/UDP | 389/TCP/UDP | LDAP | +---------------------------------------------------+ | 1024-65535/TCP | 636/TCP | LDAP SSL | +---------------------------------------------------+ | 1024-65535/TCP | 3268/TCP | LDAP GC | +---------------------------------------------------+ | 1024-65535/TCP | 3269/TCP | LDAP GC SSL | +---------------------------------------------------+ | 53,1024-65535/TCP/UDP | 53/TCP/UDP | DNS | +---------------------------------------------------+ | 1024-65535/TCP/UDP | 88/TCP/UDP | Kerberos | +---------------------------------------------------+ | 1024-65535/TCP | 445/TCP | SMB | +---------------------------------------------------+ NOTE: There are specific requirements for RPC communication beyond what is listed in this table. For additional information about how to configure RPC communications for a firewall, click the article number below to view the article in the Microsoft Knowledge Base: Q154596 Configuring RPC Dynamic Port Allocation to Work With Firewall By default, Windows 2000 DNS servers use ephemeral client-side ports when they query other DNS servers. However, this behavior may be modified with a specific registry setting that is described in the following article in the Microsoft Knowledge Base: Q260186 SendPort DNS Registry Key Does Not Work as Expected Alternatively, you can establish a trust through the Point-to-Point Tunneling Protocol (PPTP) compulsory tunnel, and this will limit the number of ports that the firewall will need to open. For PPTP, the following ports must be enabled: +-----------------------------------------+ | Client Ports | Server Port | Protocol | +-----------------------------------------+ | 1024-65535/TCP | 1723/TCP | PPTP | +-----------------------------------------+ In addition, you would need to enable IP PROTOCOL 47 (GRE). Additional query words: tcpip ====================================================================== Keywords : kbenv kbnetwork kbtool Technology : kbWinNTsearch kbWinNT400search kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Serv kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbwin2000ServSearch kbwin2000Search kbwin2000ProSearch kbwin2000Pro kbWinAdvServSearch Version : :2000,4.0 Hardware : x86 Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.