SRX

last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  RODC in DMZ policies for communication between DMZ and Trust

    Posted 09-02-2011 07:26

    Hi,

     

    I'm hoping someone else has already done this and can provide a little help, I am placing an RODC in my DMZ and am setting up policies between the DMZ and Trust and vice versa.

     

    Refering to this URL: http://technet.microsoft.com/en-us/library/dd728028%28WS.10%29.aspx I would need the following:

     

    Trust to DMZ (RWDC to RODC) junos-ldap junos-ms-rpc-epm custom-frs (tcp 53248) or what ever port I pin FRS too.

     

    DMZ to Trust (RODC to RWDC) junos-dns-tcp junos-dns-udp junos-ldap junos-ms-rpc-epm junos-ntp custom-lsass (tcp 49152-65535)

     

    For everything else it looks like they would be custom applications or have I missed anything?

    TCP 3268
     GC, LDAP
     
    TCP 445
     DFS, LsaRpc, NbtSS, NetLogonR, SamR, SMB, SrvSvc
     
    TCP 88
     Kerberos
     
    UDP 123
     NTP
     
    UDP 389
     C-LDAP
     
    TCP 5722
     DFS-R
     
    TCP and UDP 464
     Kerberos Change/Set Password

     

    Also what else did you add for the communication? I also disabled the msrpc and dns alg.

     

    Thanks



  • 2.  RE: RODC in DMZ policies for communication between DMZ and Trust

    Posted 09-02-2011 10:50
      |   view attached

    Alright I did a bunch of stuff and am waiting on the event log to show me if anything isn't working;

     

    Attachment(s)

    txt
    fwha.txt   7 KB 1 version


  • 3.  RE: RODC in DMZ policies for communication between DMZ and Trust
    Best Answer

    Posted 09-04-2011 14:12

    hi

     

    in case of communication with writable domain-controllers ..

     

    you will have issue related to directory replication only, as it involves dynamic port i.e. tcp-53248 will not suffice ...

     

    so before implementing such security policy on firewall, try avoide tombstone expiration by configuring static port for AD-DS replication using

     

    http://support.microsoft.com/kb/224196

    http://technet.microsoft.com/en-us/library/bb727063.aspx

     

    regards

     



  • 4.  RE: RODC in DMZ policies for communication between DMZ and Trust

    Posted 09-06-2011 17:09
      |   view attached

    Thanks, I did set DFS-R, FRS and Netlogon to static ports and cut a hole through the firewall from DMZ to Trust for the DFS-R port. Everything looks to be working at this time, I followed this link http://technet.microsoft.com/en-us/library/dd728028%28WS.10%29.aspx for firewall exceptions dropping lsass and using the static port for ad replication.

     

    I also disabled Netbios over Tcpip on the RODCs, that seemed to clear the poor performance of transfering files from internal to dmz.

     

    I've included my config for reference for anyone else looking to do this, Trust to DMZ is wide open in this config.

    Attachment(s)

    txt
    CONFIG.txt   13 KB 1 version


  • 5.  RE: RODC in DMZ policies for communication between DMZ and Trust

    Posted 09-06-2011 19:51

    great ...