Putting a domain joined windows system behind a firewall can be challenging. I have successfully managed to put my Web Application Proxy (WAP) servers in a DMZ network where inbound and outbound ACL's have been specified. More details in another post.
The challenge I had is to configure the domain controllers to be specific on RPC traffic ports so I only need to allow a subset of tcp/udp ports.
The script below will need to be run on each domain controller that can be reached by the servers in the DMZ. I have run the script on a Windows Server 2012 R2 server.
Set tcp ports 55000 – 55303 for NTDS, Netlogon, NtFrs and RPC
#Set NTDS RPC port to static setting New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "TCP/IP Port" -Value 55000 -PropertyType "DWord" #Set Netlogon RPC port to static setting New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "DCTcpipPort Port" -Value 55001 -PropertyType "DWord" #Set NtFrs RPC port to static setting New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters" -Name "RPC TCP/IP Port Assignment" -Value 55002 -PropertyType "DWord" #Set RPC dynamic ports to static range setting New-Item "HKLM:\Software\Microsoft\RPC\Internet" New-ItemProperty "HKLM:\Software\Microsoft\RPC\Internet" -Name "Ports" -Value '55003-55303' -PropertyType MultiString -Force New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Rpc\Internet" -Name "PortsInternetAvailable" -Value Y -PropertyType "String" New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Rpc\Internet" -Name "UseInternetPorts" -Value Y -PropertyType "String"
After the domain controllers have been reboot I run gpupdate on my DMZ server to make sure AD services were reachable. I performed another reboot and domain logon to make sure no ports were blocked.