Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
samtech4u
Explorer

Dynamic ports block for AD Server

Hi,

guys i need a help from you. one of our cutomer has AD servers between a IPSec vpn tunnel. from ADserver 49152-65535 dynamics ports are not open, .both tunnel source and destination all ports are allowed.but there's no logs that prevent those ports Is there any specific configuration should do to allow those traffic?

0 Kudos
4 Replies
_Val_
Admin
Admin

It should work out of the box with ANY-ANY-Accept on the VPN rule. Do you see any suspicious drops?

0 Kudos
Wolfgang
Leader
Leader

For the dynamic communication via Microsoft protocols you can use the "ALL_DCE_RPC" service. With these service you allow the dynamicly used high ports, without defined them explicitly.

Follow configuration of rules with service all_dce_rpc

regards

Wolfgang

_Val_
Admin
Admin

Right, @Wolfgang, that would be my second question. Without that, however, one should see some "telling" drops.

0 Kudos
Norbert_Bohusch
Advisor

What connection do you have between the two VPN peers? It might be a MTU related issue.

Lowering ext. IF MTU or enabling MSS clamping for VPN might help in such cases.

You may test by using ping with bigger packet sizes and setting DF bit.

0 Kudos