File sharing between an AD Domain controller and a member server through a firewall

TheMSsForum.com: The Microsoft Software Forum

Hi,
I am configuring an access-list for traffic from a dmz server to an internal
server. The dmz server is a 2003 domain member server. The internal server
is a 2003 AD controller and file server. The plan is to allow file access
from the dmz server to the internal server. Eventually, the dmz server will
be a front-end to the internal server from the Internet through SSH or
Terminal Server sessions. So far I opened the following ports to the
internal server (from the dmz) on the firewall:
TCP domain
UDP domain
tcp 88
udp 88
tcp 135
udp 389
tcp 389
tcp 445
udp netbios-ns
udp netbios-dgm
tcp netbios-ssn

I am able to perform nslookup from the dmz server using the internal server
for DNS and NAT seems to work fine. But when I try to map a drive from the
dmz server to a share on the internal server I get: "The drive could not be
mapped because no network was found".
Am I missing something? Thanks for your help. C
Top

Re: File sharing between an AD Domain controller and a member server through a firewall by Steven

Steven
Thu Jun 10 00:09:15 CDT 2004

See if the following KB article helps and pay particular attention to how
dynamic rpc works and how to configure a server and firewall for it. You may
also want to check your firewall logs for dropped traffic from the computer in
the dmz and I would not be surprised if it showed inbound traffic to ports in
the range 1025-30 to the domain controller as the problem. Otherwise consider
using ipsec policy with a rule that allows ipsec protected traffic between the
two computers and through the firewall. -- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B179442
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B233256

"Clementius" <anonymous@discussions.microsoft.com> wrote in message
news:%23ecQTDpTEHA.2324@TK2MSFTNGP10.phx.gbl...
> Hi,
> I am configuring an access-list for traffic from a dmz server to an internal
> server. The dmz server is a 2003 domain member server. The internal server
> is a 2003 AD controller and file server. The plan is to allow file access
> from the dmz server to the internal server. Eventually, the dmz server will
> be a front-end to the internal server from the Internet through SSH or
> Terminal Server sessions. So far I opened the following ports to the
> internal server (from the dmz) on the firewall:
> TCP domain
> UDP domain
> tcp 88
> udp 88
> tcp 135
> udp 389
> tcp 389
> tcp 445
> udp netbios-ns
> udp netbios-dgm
> tcp netbios-ssn
>
> I am able to perform nslookup from the dmz server using the internal server
> for DNS and NAT seems to work fine. But when I try to map a drive from the
> dmz server to a share on the internal server I get: "The drive could not be
> mapped because no network was found".
> Am I missing something? Thanks for your help. C
>
>


Top

Re: File sharing between an AD Domain controller and a member server through a firewall by Steven

Steven
Thu Jun 10 00:34:16 CDT 2004

Scratch the idea for ipsec between the two computers. Forgot when I posted that you
can't use ipsec between a domain member and a domain controller. A lt2p vpn
connection to a ras server on the lan and through the firewall with a persistent
connection may be something to consider though and would require certificates for
both machines which is easy enough to do for a W2003 domain. --- Steve

"Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
news:%1Sxc.10567$0y.4335@attbi_s03...
> See if the following KB article helps and pay particular attention to how
> dynamic rpc works and how to configure a server and firewall for it. You may
> also want to check your firewall logs for dropped traffic from the computer in
> the dmz and I would not be surprised if it showed inbound traffic to ports in
> the range 1025-30 to the domain controller as the problem. Otherwise consider
> using ipsec policy with a rule that allows ipsec protected traffic between the
> two computers and through the firewall. -- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B179442
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B233256
>
> "Clementius" <anonymous@discussions.microsoft.com> wrote in message
> news:%23ecQTDpTEHA.2324@TK2MSFTNGP10.phx.gbl...
> > Hi,
> > I am configuring an access-list for traffic from a dmz server to an internal
> > server. The dmz server is a 2003 domain member server. The internal server
> > is a 2003 AD controller and file server. The plan is to allow file access
> > from the dmz server to the internal server. Eventually, the dmz server will
> > be a front-end to the internal server from the Internet through SSH or
> > Terminal Server sessions. So far I opened the following ports to the
> > internal server (from the dmz) on the firewall:
> > TCP domain
> > UDP domain
> > tcp 88
> > udp 88
> > tcp 135
> > udp 389
> > tcp 389
> > tcp 445
> > udp netbios-ns
> > udp netbios-dgm
> > tcp netbios-ssn
> >
> > I am able to perform nslookup from the dmz server using the internal server
> > for DNS and NAT seems to work fine. But when I try to map a drive from the
> > dmz server to a share on the internal server I get: "The drive could not be
> > mapped because no network was found".
> > Am I missing something? Thanks for your help. C
> >
> >
>
>


Top

Re: File sharing between an AD Domain controller and a member server through a firewall by Clementius

Clementius
Mon Jun 21 17:55:56 CDT 2004

Thanks a lot Steve. It helped a good deal. C

"Steven Umbach" <n9rou@n0spam-comcast.net> wrote in message
news:%1Sxc.10567$0y.4335@attbi_s03...
> See if the following KB article helps and pay particular attention to how
> dynamic rpc works and how to configure a server and firewall for it. You
may
> also want to check your firewall logs for dropped traffic from the
computer in
> the dmz and I would not be surprised if it showed inbound traffic to ports
in
> the range 1025-30 to the domain controller as the problem. Otherwise
consider
> using ipsec policy with a rule that allows ipsec protected traffic between
the
> two computers and through the firewall. -- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B179442
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B233256
>
> "Clementius" <anonymous@discussions.microsoft.com> wrote in message
> news:%23ecQTDpTEHA.2324@TK2MSFTNGP10.phx.gbl...
> > Hi,
> > I am configuring an access-list for traffic from a dmz server to an
internal
> > server. The dmz server is a 2003 domain member server. The internal
server
> > is a 2003 AD controller and file server. The plan is to allow file
access
> > from the dmz server to the internal server. Eventually, the dmz server
will
> > be a front-end to the internal server from the Internet through SSH or
> > Terminal Server sessions. So far I opened the following ports to the
> > internal server (from the dmz) on the firewall:
> > TCP domain
> > UDP domain
> > tcp 88
> > udp 88
> > tcp 135
> > udp 389
> > tcp 389
> > tcp 445
> > udp netbios-ns
> > udp netbios-dgm
> > tcp netbios-ssn
> >
> > I am able to perform nslookup from the dmz server using the internal
server
> > for DNS and NAT seems to work fine. But when I try to map a drive from
the
> > dmz server to a share on the internal server I get: "The drive could not
be
> > mapped because no network was found".
> > Am I missing something? Thanks for your help. C
> >
> >
>
>


Top