Remote Management DMZ domain Server

  • 280 Views
  • Last Post 10 November 2016
kitaab posted this 22 September 2016

We have windows 2012 R2 server in DMZ  and that has been joined to the domain. The DMZ is not Internet facing but for the access related stuff to isolated segments on our network.

I have been able to join these servers to our domin (internal ntwork)  using these ports

https://technet.microsoft.com/en-us/library/dd772723(v=WS.10).aspx

I am not sure though how i can manage them remotely though . 

We have a jump host we allowed 3389 from to these servers , but that only gives us ability to RDP 

 

But what if i need to open computermanagemnet remotely , or run gpresult etc 

Any idea what all ports and protocols i need to open from the jump host to the servers in DMZ fgor management purpose.

Order By: Standard | Newest | Votes
kitaab posted this 10 November 2016

I allowe port TCP/135 and i was able to mange the machine remotely.

ken posted this 28 September 2016

I would look at implementing an alternative remote access technology that tunnels everything over a single port rather than opening up the numerous

ports required for remote management. Alternatively, have a separate management network that allows you to use out-of-band management (ILO/DRAC/etc) to get to the machines in the DMZ.



 

Otherwise your FW will end up like Swiss cheese, and you run the risk of some kind of exploit being able to infect your management station, rendering

your DMZ partially obsolete.

 

show

bshwjt posted this 28 September 2016

For security prospective that is ok if all the DMZ DCs are communication properly.For Remote management you can enable HTTPS WinRM with enterprise PKI . Also you can use 3rd party certificates but that is cost effective.  


show

VolkerE posted this 28 September 2016

Hi,

I have never counted the systems.

We have several customers where a DC is behind a firewall.

 

And for sure Ken. We have a management station we use for the remote management and this station is classified as DC from a firewall perspective.

 

BR,

Volker

 

show

kitaab posted this 28 September 2016

It is simpler , Just wanted to have a backup mechanism if RDP fails because of space /access etc issues./


show

ken posted this 28 September 2016

How many systems do you have in the DMZ? Might it be simpler to just RDP to the server and run the tools you mention (Computer Management etc) locally,

if you don’t have too many systems?

 

show

kitaab posted this 28 September 2016

Thanks
How do you manage these systems remotely. Can all systems RDP to the DMZ or you have dedicated stations for that .What ports have you opened from that management station if you use.


show

VolkerE posted this 28 September 2016

Hi,

 

The ports are:

135/tcp+udp    RPC endpoint mapper

137/tcp+udp    NetBIOS (non-essential)

138/udp    NetBIOS (non-essential)

139/tcp    NetBIOS (non-essential)

445/tcp+udp    SMB

88/tcp+udp    Kerberos

 

And for AD management:

389/tcp+udp    LDAP

3268/tcp    LDAP for Global Catalog

53/tcp+udp    DNS

123/udp    ntp

 

And now the best thing:

1024-65535    RPC dynamic port assignment

 

è

Depending on the Windows version you use this could also be (Windows Server 2008 and above)

 

49152-65535

 

There are some concepts how to implement a domain controller behind a firewall.

Some prefer a IPSec tunnel and some RPC port reducment.

Personally I prefer the RPC port reducement to a number of 1000 to 2000 ports in a small to medium environment.

 

Why?

Well, I can analyse the traffic in case of problems and I can use a next-Gen firewall to have look at the traffic.

IPSec is a tunnel. Be happy if only the traffic you want is going thru.

J

 

By the way, I actually don´t know what Microsoft prefers and is supporting. Would be happy if someone could give an answer here.

 

Best regards,

Volker

 

 

blue_strip

Volker Eckert

Senior Solution Architect Workplace

atos_logotype

 

 

Atos Information Technology GmbH; Geschäftsführung: Winfried Holz, Udo Littke; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: Essen; Registergericht:

Essen, HRB 19354

 

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail

in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network,

the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.

 

 

 

show

kitaab posted this 27 September 2016

Port needed to access computer management , registry and services remotely


show

VolkerE posted this 27 September 2016

Yes, done several time.

That´s no magic.

But what is your question?

J

 

show

kitaab posted this 27 September 2016

Anyone who may have done this .

Close