Active Directory through firewalls

[Felipe Maurer]

Hi,

I have 2 different sites, connected over the Internet. I
am planning to implement Active Directory. Is this safe to
do? What port(s) need to be open to allow for
synchronization between the Domain servers? Should I
implement SMTP replication?

As you can see I need a lot of information on the subject.
Any advise is welcome.

Thanks

 

[Cary Shultz]

-----Original Message-----
Hi,

I have 2 different sites, connected over the Internet. I
am planning to implement Active Directory. Is this safe to
do? What port(s) need to be open to allow for
synchronization between the Domain servers? Should I
implement SMTP replication?

As you can see I need a lot of information on the subject.
Any advise is welcome.

Thanks
.

Felipe,

Not only is this safe to do it is generally Best
Practice! Doing everything through the VPN tunnel stops
you from having to open up about eight or nine ports on
your Firewall ( can we all say - Swisscheese! ).

I am going to search the MS Knowledge Base and post you
some of the Articles that Describe this process.

Be back in a bout 30 minutes of so...

HTH,

Cary

 

[Ronald]

probably be best to do firewall to firewall vpn instead of
PPTP (server to server) vpn. This would take the load off
of the servers and be more secure depending on which
encryption algorithm is used...DES, 3DES, etc, etc.

 

[Cary Shultz]

-----Original Message-----
probably be best to do firewall to firewall vpn instead of
PPTP (server to server) vpn. This would take the load off
of the servers and be more secure depending on which
encryption algorithm is used...DES, 3DES, etc, etc.
.

Ronald,

Exactly what I was talking about! Thank you for
clarifying this point. All our clients have Firewall-to-
Firewall VPNs setup when there are remote offices. We
mostly use SonicWall for this. I know that PIX is
superior but the Interface is so nice withthe SonicWall!
I know, I know! What a horible reason ;-) We normally
use 3DES and MD5.

Cary

 

[Robbie Allen]

Here is a good article on making AD work through a firewall:
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp

Robbie Allen
http://www.rallenhome.com/

 

[Jimmy Andersson]

Here's s good article: AD Replication over Firewalls by Steve Riley,
Consultant at Microsoft Telecommunications Practice.
http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec_p63623.asp

Some more information:
Q224196 - Restricting AD Replication Traffice to a Specific Port.
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q224196

Q179442 - How to Configure a Firewall for Domains and Trusts.
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q179442

Regards,
/Jimmy