L3 Firewall rules for Active Directory

Solved
DarezHardware
Conversationalist

L3 Firewall rules for Active Directory

Has anyone successfully setup any kind of firewall rules to lock down active directory. I've tried the ports on a few articles and I think I may have it but now I'm getting an RPC error when trying to add a computer. Does anyone have any insight on this I can't seem to get this to work correctly? 

 

The ports I currently have open are - 53,88,389,3268,445,123,135

1 Accepted Solution
DarezHardware
Conversationalist

Ended up doing a packet capture thank you for that, found it really really wants the RPC ports open, you can apparently tighten these up to a range of 1000 but I don't have time for now to do that on all our servers. You need the ranges I mentioned above on both UDP and TCP + the range of 49152-65535

 

So the ports required in order for the default configuration of Active directory to work are - TCP & UDP 53,88,389,3268,445,123,135, & 49152-65535

View solution in original post

2 Replies 2
Brash
Kind of a big deal
Kind of a big deal

Quick check of the Microsoft doco shows you've covered most of the ports.
Can you run a packet capture (on whichever Meraki device is most applicable in your network) to see which other ports the PC is attempting to communicate to the DC?

DarezHardware
Conversationalist

Ended up doing a packet capture thank you for that, found it really really wants the RPC ports open, you can apparently tighten these up to a range of 1000 but I don't have time for now to do that on all our servers. You need the ranges I mentioned above on both UDP and TCP + the range of 49152-65535

 

So the ports required in order for the default configuration of Active directory to work are - TCP & UDP 53,88,389,3268,445,123,135, & 49152-65535

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels