Discussion:
ADAM replication over firewall
(too old to reply)
c***@gmail.com
2006-06-16 06:12:10 UTC
Permalink
I'm trying to get a handle on how to get ADAM replication to work over
firewalls. It seems that it uses RPC which is notoriously nasty w/r/t
firewall issues. The best I've found by searching this group is a
reference to a doc about AD reoplication over firewalls [1]. Basically
the approach is to use IPSec, but then it goes on to say:

"it is not currently recommended that you use IPSec to secure
communication between domain members (either clients or servers) and
their domain controllers". I'm assuming this would apply to
client-to-client communication as well, which is what ADAM replication
entails.

Has anyone had any practical experience deploying ADAM on machines with
Windows Firewall enabled? Is there a better way to go about this
without opening port 135 and ports 1024-65535?


[1]
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=encovers
Jorge Silva
2006-06-16 13:42:26 UTC
Permalink
Hi

Yes, check it:
Active Directory Replication over Firewalls
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
Post by c***@gmail.com
I'm trying to get a handle on how to get ADAM replication to work over
firewalls. It seems that it uses RPC which is notoriously nasty w/r/t
firewall issues. The best I've found by searching this group is a
reference to a doc about AD reoplication over firewalls [1]. Basically
"it is not currently recommended that you use IPSec to secure
communication between domain members (either clients or servers) and
their domain controllers". I'm assuming this would apply to
client-to-client communication as well, which is what ADAM replication
entails.
Has anyone had any practical experience deploying ADAM on machines with
Windows Firewall enabled? Is there a better way to go about this
without opening port 135 and ports 1024-65535?
[1]
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=encovers
Joe Richards [MVP]
2006-06-16 14:39:24 UTC
Permalink
The best is to NOT replicate over firewalls. Usually there is a reason
for the firewall, you are looking for separation. Especially if this is
an extranet/DMZ situation. In those case you should be sending a subset
of the data over to a separate instance of ADAM in the unsafe area with
a metadirectory syncing tool like IIFP, MIIS, LDSU, or even ADAMSYNCH.
Then you have broken it all down to a single port (LDAP).

Now if this is one of the silly places that sticks firewalls up all over
the internal network, you have a different issue entirely and the only
way to really lock that down is to start hard coding RPC ports which is
a royal pain and can be cause for a multitude of issues.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
Post by c***@gmail.com
I'm trying to get a handle on how to get ADAM replication to work over
firewalls. It seems that it uses RPC which is notoriously nasty w/r/t
firewall issues. The best I've found by searching this group is a
reference to a doc about AD reoplication over firewalls [1]. Basically
"it is not currently recommended that you use IPSec to secure
communication between domain members (either clients or servers) and
their domain controllers". I'm assuming this would apply to
client-to-client communication as well, which is what ADAM replication
entails.
Has anyone had any practical experience deploying ADAM on machines with
Windows Firewall enabled? Is there a better way to go about this
without opening port 135 and ports 1024-65535?
[1]
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=encovers
c***@gmail.com
2006-06-16 14:51:20 UTC
Permalink
Yes, they are activating Windows firewall on all their internal PCs.

I'll refrain from calling them silly in case they frequent this group
:)

I think we've found a workaround, but we are still testing it so anyone
who uses it should do so at their own risk:

If you open TCP/UDP 135 (RPC locator) and allow an application
exemption for c:\windows\ADAM\dsamain.exe, it seems to work. Again
this is what we found after a few cursory tests. If I can remember to
do so I'll post back with our final findings.

Mike
Post by Joe Richards [MVP]
The best is to NOT replicate over firewalls. Usually there is a reason
for the firewall, you are looking for separation. Especially if this is
an extranet/DMZ situation. In those case you should be sending a subset
of the data over to a separate instance of ADAM in the unsafe area with
a metadirectory syncing tool like IIFP, MIIS, LDSU, or even ADAMSYNCH.
Then you have broken it all down to a single port (LDAP).
Now if this is one of the silly places that sticks firewalls up all over
the internal network, you have a different issue entirely and the only
way to really lock that down is to start hard coding RPC ports which is
a royal pain and can be cause for a multitude of issues.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Post by c***@gmail.com
I'm trying to get a handle on how to get ADAM replication to work over
firewalls. It seems that it uses RPC which is notoriously nasty w/r/t
firewall issues. The best I've found by searching this group is a
reference to a doc about AD reoplication over firewalls [1]. Basically
"it is not currently recommended that you use IPSec to secure
communication between domain members (either clients or servers) and
their domain controllers". I'm assuming this would apply to
client-to-client communication as well, which is what ADAM replication
entails.
Has anyone had any practical experience deploying ADAM on machines with
Windows Firewall enabled? Is there a better way to go about this
without opening port 135 and ports 1024-65535?
[1]
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=encovers
Loading...