A Simple question :
We have to install wingate 6 behind a firewall.
So what are the tcp port that should be opened so that wingate may be able to synchronise the active directory users.
thanks by advance.
wingate active directory and firewall
Moderator: Qbik Staff
10 posts
• Page 1 of 1
wingate active directory and firewall
by vgaudin » Jun 29 04 10:44 pm
- vgaudin
- Posts: 20
- Joined: Jun 29 04 10:37 pm
by genie » Jun 30 04 1:13 am
That's what Microsoft says about firewall holes requiredx to replicate AD:
RPC endpoint mapper 135/tcp, 135/udp
Network basic input/output system (NetBIOS) name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
Server message block (SMB) over IP (Microsoft-DS) 445/tcp, 445/udp
Lightweight Directory Access Protocol (LDAP) 389/tcp
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
Domain Name Service (DNS) 53/tcp1, 53/udp
Windows Internet Naming Service (WINS) resolution (if required) 1512/tcp, 1512/udp
WINS replication (if required) 42/tcp, 42/udp
However, for plain AD request model you might be well off with only these ports being punched through:
135,137 (TCP and UDP) , 139, 445 (TCP)
RPC endpoint mapper 135/tcp, 135/udp
Network basic input/output system (NetBIOS) name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
Server message block (SMB) over IP (Microsoft-DS) 445/tcp, 445/udp
Lightweight Directory Access Protocol (LDAP) 389/tcp
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
Domain Name Service (DNS) 53/tcp1, 53/udp
Windows Internet Naming Service (WINS) resolution (if required) 1512/tcp, 1512/udp
WINS replication (if required) 42/tcp, 42/udp
However, for plain AD request model you might be well off with only these ports being punched through:
135,137 (TCP and UDP) , 139, 445 (TCP)
- genie
- Qbik Staff
- Posts: 1788
- Joined: Sep 30 03 10:29 am
tcp/udp port
by vgaudin » Jun 30 04 4:10 am
Ok it's works with :
135 tcp/udp
137 tcp/udp
139 tcp
445 tcp
I'am able to synchronise the AD users from Ad server to wingate.
But what about the authentication process done with the browsers ?
how it's works ?
actually IE ask me for an login/password and it's not the nt authentication ?
135 tcp/udp
137 tcp/udp
139 tcp
445 tcp
I'am able to synchronise the AD users from Ad server to wingate.
But what about the authentication process done with the browsers ?
how it's works ?
actually IE ask me for an login/password and it's not the nt authentication ?
- vgaudin
- Posts: 20
- Joined: Jun 29 04 10:37 pm
by genie » Jul 01 04 12:22 am
If you set up you IE to use proxy server (WG) then WG proxy will request for authentication - and the actual authentication process depends on how WG is tuned up - it either uses its own user database or the NT one (don't forget to synchronize databases).
- genie
- Qbik Staff
- Posts: 1788
- Joined: Sep 30 03 10:29 am
by adrien » Jul 01 04 12:36 am
To get WinGate to use NTLM authentication in the HTTP proxy, you need to
1. make the policies for HTTP proxy require that the user be authenticated (rather than assumed).
2. Enable the NTLM authentication option on the general tab of the WWW proxy
3. Use the remote NT user database in WinGate
4. Run the WinGate service in a domain account that has Admin rights on the remote Active directory server.
Adrien
1. make the policies for HTTP proxy require that the user be authenticated (rather than assumed).
2. Enable the NTLM authentication option on the general tab of the WWW proxy
3. Use the remote NT user database in WinGate
4. Run the WinGate service in a domain account that has Admin rights on the remote Active directory server.
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
not in a domain
by vgaudin » Jul 01 04 9:41 pm
and if my wingate server is not in the domain ?
The wingate server is in an DMZ and is standalone server (not in a domain)
is it possible ?
The wingate server is in an DMZ and is standalone server (not in a domain)
is it possible ?
- vgaudin
- Posts: 20
- Joined: Jun 29 04 10:37 pm
not in the AD
by vgaudin » Jul 02 04 11:25 pm
Could you give me more information.
my proxy is not in the domain (standalone server named SRV-PROXY)
the AD server is behind firewall ( domain : DOMML)
The users synchronisation is correclty done.
locally the NTLM is working.
- So why wingate ask me for a user/password when I try from an machine in the domml domain ?
- why when I give login "vgaudin" there is a second ask with :
SERVEUR-PROXY\vgaudin
but my user is in the domml domain
You said me : run wingate service in a domain account that has admin rights on the remote AD
but how could I do this because my proxy is not in the domain DOMML !?
thanks by advance.
vincent
my proxy is not in the domain (standalone server named SRV-PROXY)
the AD server is behind firewall ( domain : DOMML)
The users synchronisation is correclty done.
locally the NTLM is working.
- So why wingate ask me for a user/password when I try from an machine in the domml domain ?
- why when I give login "vgaudin" there is a second ask with :
SERVEUR-PROXY\vgaudin
but my user is in the domml domain
You said me : run wingate service in a domain account that has admin rights on the remote AD
but how could I do this because my proxy is not in the domain DOMML !?
thanks by advance.
vincent
- vgaudin
- Posts: 20
- Joined: Jun 29 04 10:37 pm
10 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 11 guests