Firewalls with UWWI

Firewalls on domain controllers and member servers and workstations need to be properly configured to ensure proper function of the trust and ultimately the domains themselves.

Your Domain Controllers

At a minimum, the following ports:

tcp 53, 88, 135, 389, 445, 636, *
udp 53, 88, 135, 389, 445, *

* Additionally a range of dynamic RPC ports for the RPC endpoint mapper needs access if you want to be able to do trust validation. By default, this is a large set of ports, but you can limit it to a a much smaller set. See the Microsoft whitepaper below (in appendix E) for more on that.

need to be granted access to:

172.22.11.0/26
172.22.14.0/24
172.22.15.0/24

for network traffic between your domain controllers and the UWWI domain controllers.

Your Workstations and Servers

If you have firewalls on your member servers or workstations, then the ports:

tcp 53, 88, 135, 137, 139, 389, 445, 636, 3268, 3269
udp 53, 88, 123, 135, 137, 138, 389, 445

need to be granted access to:

172.22.11.0/26
172.22.14.0/24
172.22.15.0/24

This will ensure authentication and normal Windows operations work correctly with UWWI and your domain. 

Troubleshooting Problems

You will need to verify and demonstrate that your firewall settings permit the required traffic noted above. At that time, UW Technology engineers will look into any issues related to the UW Windows Infrastructure service. If it appears that the firewall is causing the issues we will ask that it be disabled to test functionality.

Future Changes

Should the networks that the UWWI domain controllers are on change in the future, an announcement will be made to all trust requestors in advance.

Related Documents

http://www.washington.edu/computing/support/windows/UWdomains/domainsAndFirewalls.html

http://www.washington.edu/computing/support/windows/UWdomains/p172.html

http://download.microsoft.com/download/c/a/3/ca3647b8-9948-4f92-8637-fcb8fdfa3de0/ADSegment_IPSec_W2K.doc