Firewall rules required by Password Manager

What firewall rules need to be created to allow connections to NetWrix Password Manager deployed in a DMZ?
Email It to Me Print this Page
The table below lists all necessary properties for the firewall rules:

On DMZ

TypeLocal PortsRemote portsRemote machineProtocolApplicationAction
Inbound80,443AnyAnyTCPAnyAllow
Inbound135RPC range* BackendTCPAnyAllow
OutboundRPC range135-139Backend, all DCsTCP, UDPAnyAllow
OutboundRPC range88, 389,464All DCsTCP, UDPAnyAllow
OutboundRPC rangeDCOM rangeBackendTCPAnyAllow
OutboundRPC range53DNSUDPAnyAllow
                            
On Backend
TypeLocal PortsRemote portsRemote machineProtocolApplicationAction
InboundDCOM rangeRPC rangeDMZTCPAnyAllow
Inbound135-139RPC rangeDMZTCP, UDPAnyAllow
OutboundRPC range135-139DMZ, all DCsTCP, UDPAnyAllow
OutboundRPC range88,389,464All DCsTCP, UDPAnyAllow
OutboundRPC range53DNSUDPAnyAllow
OutboundRPC rangeRPC rangeAll DCsTCPLsass.exe**Allow
OutboundRPC range25Mail serverTCPAnyAllow

On DCs:
TypeLocal portsRemote portsRemote machineProtocolApplicationAction
Inbound88,389,464RPC rangeDMZ, BackendTCP, UDPAnyAllow
Inbound135-139RPC rangeBackendTCP, UDPAnyAllow
InboundRPC dynamicsRPC rangeBackendTCPLsass.exe**Allow

On DNS server:
TypeLocal portsRemote portsRemote machineProtocolApplicationAction
Inbound53AnyAnyUDPAnyAllow

On Mail server:
TypeLocal portsRemote portsRemote machineProtocolApplicationAction
Inbound25AnyAnyTCPAnyAllow

* RPC range is 1024 – 65535 (Windows NT/XP/2003) or 49152 – 65535 (Windows Vista/2008/7/2k8r2)
RPC dynamic port allocation can be reconfigured. Refer the following Microsoft Knowledge Base article: http://support.microsoft.com/kb/154596

 **Lsass.exe is %systemroot%\System32\lsass.exe
 
Note: All Inbound and Outbound connections on all servers are blocked if they do not match the rules.
 
 
 
Was this information helpful?