FTP Server in DMZ, need to open ports for it to authenticate to AD, but which ones?

This forum is for anyone experiencing problems related to their firewall settings. More specifically, anyone experiecing connection issues should take a look at this forum.
Post Reply
fribse
New User
Posts: 3
Joined: Fri Jun 16, 2017 6:12 am

FTP Server in DMZ, need to open ports for it to authenticate to AD, but which ones?

Post by fribse » Fri Jun 16, 2017 8:16 am

I've gone through a POC for the Cerberus, and I've found solutions for everything so far.
I now need to place the real deal in DMZ, and open the proper ports for authenticating towards AD.
But how? The AD server is not 'known' in DMZ, and which ports do I open?
I can of course change everything to LDAP authentication, but I would rather use the already constructed rules and groups towards some AD authentication, and I don't want to place a RO replica in the DMZ.

fribse
New User
Posts: 3
Joined: Fri Jun 16, 2017 6:12 am

Re: FTP Server in DMZ, need to open ports for it to authenticate to AD, but which ones?

Post by fribse » Fri Jun 16, 2017 8:57 am

I looked at the communication with Wireshark, and for me it looks like it uses.
389, LDAP
636, LDAPs
445, SMB
88, KRB5

is that it?

pacman
Senior User
Posts: 187
Joined: Thu Apr 28, 2016 1:54 pm

Re: FTP Server in DMZ, need to open ports for it to authenticate to AD, but which ones?

Post by pacman » Mon Jun 19, 2017 3:07 pm

It's not usually a question of ports. The machine Cerberus is running on has to be a member of the domain, and the account running the Cerberus FTP Server Windows Service has to have permissions to query domain users.

If you need to authenticate AD users in a DMZ you should usecLDAP authentication. LDAP runs on port 389

fribse
New User
Posts: 3
Joined: Fri Jun 16, 2017 6:12 am

Re: FTP Server in DMZ, need to open ports for it to authenticate to AD, but which ones?

Post by fribse » Tue Jun 20, 2017 7:29 am

Hi, yes I found out after I moved the server :-) So I've changed the user authentications to LDAP.
I think I'm going to change it to LDAPs (636), if i can make that work.

Post Reply