What LDAP Ports thru DMZ

Discussion in 'ASP .Net Security' started by Chris Davoli, Sep 11, 2006.

  1. Chris Davoli

    Chris Davoli Guest

    I am going to use LDAP to look up userids on an active directory server. The
    LDAP server is on the outside in the DMZ. The Active Directory server is on
    the inside, so holes need to be poked into the firewall. My question is, what
    ports need to be poked into the firewall so I can read active directory?
    --
    Chris Davoli
     
    Chris Davoli, Sep 11, 2006
    #1
    1. Advertising

  2. Chris Davoli

    Joe Kaplan Guest

    At a minimum you need port 389 to query the domain and 3268 to query the
    global catalog. If you will use SSL/LDAP, you need 636 and 3269
    respectively.

    Depending on the type of authentication you will do to AD, you may also need
    Kerberos (port 88 TCP and UDP) and may need RPC (135 at a minimum).

    When you say the LDAP server will be in the DMZ, are you setting up some
    kind of LDAP proxy server or are you saying that the LDAP client application
    (like a web server) will be in the DMZ? Generally you wouldn't need a
    different LDAP server to talk to AD, although I suppose you could do that.

    There is also another way to communicate with AD using the DSML server. It
    allows you to make HTTP/SOAP calls to a web server that is essentially an
    LDAP proxy. In that case, your firewall issues are just standard HTTP
    things (80/443) if you put the DSML server behind the firewall. There is a
    fairly straightforward way to program this if you are using .NET 2.0 and the
    System.DirectoryServices.Protocols namespace.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Chris Davoli" <> wrote in message
    news:...
    >I am going to use LDAP to look up userids on an active directory server.
    >The
    > LDAP server is on the outside in the DMZ. The Active Directory server is
    > on
    > the inside, so holes need to be poked into the firewall. My question is,
    > what
    > ports need to be poked into the firewall so I can read active directory?
    > --
    > Chris Davoli
    >
     
    Joe Kaplan, Sep 11, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bill Carpenter

    ASPNET in DMZ - PLEASE HELP

    Bill Carpenter, Apr 21, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    1,333
    Christopher Reed
    Apr 21, 2004
  2. mreister
    Replies:
    1
    Views:
    3,394
    mreister
    May 25, 2010
  3. Thana
    Replies:
    2
    Views:
    265
    Patrick.O.Ige
    Oct 3, 2006
  4. THTB
    Replies:
    0
    Views:
    220
  5. Max Williams
    Replies:
    3
    Views:
    193
    Robert Klemme
    Jan 6, 2009
Loading...

Share This Page