Wednesday, May 12, 2010

Setting up One Way Trust for SharePoint installations

We just installed our SharePoint servers in the perimeter network (DMZ). Since our domain controllers are in the corporate network we had to configure a separate domain in the DMZ and setup one way trust between the 2 domains (DMZ domain trusts the internal domain). We had to struggle a bit becuase of the firewall rules that needed to be created and changes that need to be made to the domain controllers.

Firewall Ports to be opened

Microsoft-DS traffic: tcp-445, udp-445
LDAP: tcp-389 (or tcp636 if using SSL)
LDAP Ping: udp-389
Kerberos authentication protocol: tcp-88, udp-88
DNS: tcp-53, udp-53
Net Logon Service: tcp-135, udp-135
Dynamic RPC ports: 5000-5100

Note that these ports need to be opened not only for the DCs in DMZ to communicate with the internal DCs but also any server that needs to authenticate against the internal DCs which in our case were the SharePoint web front ends.

Limit the Dynamic RPC ports to 5000-5050

Net Logon service uses RPC endpoint mappers (tcp and udp 135) for initial handshake and use high ports for subsequent communucation. Since it is not secure to open all the high ports we need to limit the range of dynamic RPC ports(5000-5100 in our case). To limit the range set the following registry key:


Note that this limiting of dynamic ports mainly needs to be done on all the DCs in the internal network. We went ahead and did this on the DMZ DCs as well.

No comments: