What are the ports needed to open on the firewall so that my group policy will work on my remote access

pts.
Tags:
DataCenter
Networking
Hi, I would like to know on what are the ports needed to open on the firewall so that my group policy will synchronize to my remote access clients.Right now my group policy is not working on my remote access clients and i think it is because of my firewall.Before my remote access client can get through to my network there is a firewall between them and i think this is the cause of the problem why my group policy is not working on my remote access.My connection are follows: Remote access client will pass through my RAS router then it will go to the firewall then it will pass through my ACS (authentication) then finally to my server.

Answer Wiki

Thanks. We'll let you know when a new response is added.

First what are the options in Group Policies that affects the remote access clients? their should be nothing between them, or may be you mean Remote Access Policies. Please clarify this by examples

Second, what type of firewall do u have, if its just a normal firewall with no NAT capabilities, then you will have to open alot of ports, this will depend on what your remote access clients are trying to access, but if the Firewall has some NAT capabilities like ISA server, then this will not be possible.

Another point how does your remote access client connect? through VPN or dialup?

Discuss This Question: 11  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Smiley
    Try reading Port Requirements for the Microsoft Windows Server Sytem on Microsofts web site. http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 I would strongly suggest that remote users connect using VPN to connect.
    0 pointsBadges:
    report
  • Odyleones
    Hi, Thank you for youre immediate response... 1.what are the options in Group Policies that affects the remote access clients? Ok what im trying to do is to implement the password policy where in my remote clients will change password after 90 days. 2.what type of firewall do u have? I have a sun solaris checkpoint firewall 3.Another point how does your remote access client connect? through VPN or dialup? through dialup for now and next year were planning to do SSL VPN. Well base on the microsoft advice we need to open the port: 135/tcp rpc 389/tcp/udp ldap 636/tcp ldap ssl 3268/tcp ldap gc ssl 53/tcp/udp/dns 88/tcp/udp/kerboros 445/tcp smb 137-138/udp netbt 139/tcp nrtbt no luck..still my windows xp remote access cant get the policies..eventhough i tried to do gpupdate /force from the netdiag.txt the erros is: DC list test ..... failed but when i open the icmp 0 and 8..my dc is responding...wheter i ping it through ip address or the name of my dc. i get a reply (i ping it on my client pc). I tried to open icmp 37 and 38 and also icmp 3 and 4 but no luck. From my firewall..i recieved: PACKET DATA SIZE:2048;ECHO REQUEST TOO LONG;ICMP ECHO REQUEST;ICMP TYPE 8;ICMP CODE = 0 i dont know if this is the cause of the problem.
    0 pointsBadges:
    report
  • Sonotsky
    No offence, but your connection scheme seems a little more complex than necessary. Another poster replied that VPN is strongly suggested for this scenario; I would agree. A VPN appliance outside (or should it be inside? Design gurus, lend a hand, please) of the firewall, which should be of a stateful nature, would take care of both security and authentication. Also, you should probably make sure that NetBIOS is being passed through the firewall.
    695 pointsBadges:
    report
  • Poppaman
    I agree with smiley - VPN is the way to go. There are several different products, but the easiest to use are the SSL VPN solutions (such as Aventail). While IPSEC (such as Nortel Contivity) also works, and is cheaper, it is more difficult to configure and maintain...
    0 pointsBadges:
    report
  • Drmikec
    Terminal services client, remote access client, and NetMeeting all use port 3389. You should limit the access to the MAC addresses of the local machine, or an IP address or range of addresses, perhaps just your RAS if that's the only way you want them to access it. Anything to prevent wholesale exposure of your network on port 3389.
    0 pointsBadges:
    report
  • Drmikec
    Belay that. I meant to say "remote machine" instead of local machine.
    0 pointsBadges:
    report
  • MrWizard
    You definitely do not want to open up ports 135,137,139. Very dangerous. I completely agree with the previous posts, you need to go VPN! I don't know what your firewall's capabilities are, but, most current firewalls are capable of VPN endpoint.
    0 pointsBadges:
    report
  • Odyleones
    Thank you for all your reply..nah..dont worry im not offended....actually..i already have VPN connection and where using Cisco Concentrator but you know some of my collegue doesnt have yet an internet connection that's why they are using dial-up.The reason why im asking on this one it is because the password group policy will be expired this december and january and some of my dial-up connection already complaining that when they try to change their password it is not working and the same goes with my vpn users.What were doing right now if someone complaining is we do it manually and im trying to solve that kind of problem by pushing the password policy to change the password expiration on april 2005.But no luck. Maybe i will explain a little bit my connection.Before my dialup users can connect to my network he will going to pass through the following: RAS router (located at DMZ)-Firewall(Sun solaris checkpoint)-Cisco ACS - Active directory.My VPN users: from internet - Firewall-VPN Concentrator (located at DMZ) -firewall-Cisco ACS- Active directory.Now if you notice they will have to pas through firewall-Cisco ACS-Active directory.The advice of my vendors they are telling me to upgrade my VPN Concentrator and my Cisco ACS cause that is the solution to my problem.But when im asking them to give me proof they cannot give it.I went to cisco site and check and i found nothing and for me i dont need to upgrade it cause im moving to SSL VPN.Im still evaluating aventail and f5.So, while im still evaluating the said products i want to solve the said problem but no luck.Since i already mention my project...can you give me an advice about my proposal wheter it is ok or not.For VPN concentrator i will gonna replace it to SSL VPN and as for my ACS im thinking to replace it with RADIUS appliance.Cause for now i have a point of failure.The Cisco ACS.This ACS doesnt have a backup and it is in windows2000 so i need it to patch everytime. Anyway thank you for all your response...i appreciated most.. HAPPY NEW YEAR TO ALL AND THANK YOU VERY MUCH.
    0 pointsBadges:
    report
  • Mraslan
    First of all there is something important that you should know about password policies, you can't create a password policy for a specific users, Password policies take only effect from group policies applied to the domain level, not OU's or Sites or anything else, so it will be applied to all users in the domain. Second, if you want to put the remote access server or VPN server in front of the Firewall, then you can configure it to use RADIUS authentication and install an IAS server on the domain controller or any other member server inside the firewall, this way you will have to open only ports 1812 and 1645 (as i remember) in your firewall to the server that will run IAS (whether its the domain controller or any other server), next see what your clients needs exactly, for example if they need to access a web server inside, then open port 80 in your firewall for the IP range that will be assigned to the remote access clients, and so on. note that you will need to open UDP 53 for name resolution, as MrWizard said, opening ports 135 to 139 in general is not a good idea, however if you allow them to the IP range that is assigned to the remote access clients, then the risk will be reduced, but not totaly eleminated. As also some posters suggested, i think its better to get the VPN or remote access server inside the firewall not after it, and this will only require you to open port 1723 and allow IP protocol 47 (GRE) to pass throught the firewall, if you are using PPTP, however if you will be using L2TP, then it might not work, this will depend on the firewall. However i disagree with most people about VPN or dialup, VPN is by far best than dialup in most cases but not all cases, VPN allows clients to connect at faster speeds, and require less hardware than dialup, however if the internet link to the VPN server goes down, then all of a sudden no one can connect, using dialup will be a good choice in this case. In my opinion, its a good thing to support both with VPN as the primary conenction methid in mind, and at least allowing dialup for the administrators incase something happens and they cannot get inside using VPN
    0 pointsBadges:
    report
  • Ve3ofa
    you are trying to enforce a local policy of a password change on a remote machine? Or are you trying to make their login password expire after 90 days? The first one is impossible, irrational, and overreaching your authority. The second one is simple, just set it up in their account. If all of these machines are corporate owned.. set the policy b4 they leave the IT department, password the administrator account and put the user as a 'power user' or lower access to the machine and set the policies then.
    80 pointsBadges:
    report
  • Odyleones
    Hi Ve3ofa, All my users (inside,dialup,vpn) password will be expired last december and january.My inside users doesnt have the problem changing thier password.But my dialup have a problem changing their password.So what im trying to do is to enforce password policy to my dialup users...its like im trying to extend their password for 90 days.Once they login to our server i will ask them to do gpupdate /force...once they get the update then their password would be extend to 90 days.Base on the microsoft they said that it is possible to do it..We did an experiment here and we try to do gpupdate in our inside users and no problem at all.They get the extension for 90 days password expiration but in my dialup users..we have problem.So we suspect that our firewall or our Cisco ACS is the one preventing the policy.Anyway since it is already january so what we are doing now is we do it manually. Thank you for all your reply.I appreciated most... Happy New Year to all and have a nice day
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following