Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

Dynamic ports block for AD Server

Hi,

guys i need a help from you. one of our cutomer has AD servers between a IPSec vpn tunnel. from ADserver 49152-65535 dynamics ports are not open, .both tunnel source and destination all ports are allowed.but there's no logs that prevent those ports Is there any specific configuration should do to allow those traffic?

0 Kudos
4 Replies
Highlighted
Admin
Admin

It should work out of the box with ANY-ANY-Accept on the VPN rule. Do you see any suspicious drops?

0 Kudos
Highlighted
Platinum

For the dynamic communication via Microsoft protocols you can use the "ALL_DCE_RPC" service. With these service you allow the dynamicly used high ports, without defined them explicitly.

Follow configuration of rules with service all_dce_rpc

regards

Wolfgang

Highlighted
Admin
Admin

Right, @Wolfgang, that would be my second question. Without that, however, one should see some "telling" drops.

0 Kudos
Highlighted

What connection do you have between the two VPN peers? It might be a MTU related issue.

Lowering ext. IF MTU or enabling MSS clamping for VPN might help in such cases.

You may test by using ping with bigger packet sizes and setting DF bit.

0 Kudos