-
タイトル
Which network ports do the QAS Unix/Linux/MacOSX clients use? -
説明
Which network ports do the QAS Unix/Linux/MacOSX clients use?
What ports need to be opened in a DMZ or when using a firewall?
-
対策
Since QAS uses Active Directory for authentication and identity lookups, the networking infrastructure must allow the UNIX host to communicate with Active Directory. When designing firewalls and other network infrastructure, ensure that the following ports are open:
vasd - ports to domain controllers
REQUIRED- 88 - TCP/ UDP (Kerberos traffic)
- 389 - TCP (Kerberized LDAP - queries)
- 389 - UDP (Kerberized LDAP - ping)
- 464 - TCP (Kerberos - password changes)
- 3268 - TCP (Global Catalog LDAP)
OPTIONAL
- 53 - TCP/UDP (DNS - used to receive DNS SRV records not required if joining to specific Domain Controllers)
- 123 - UDP (NTP - used to synchronize time between Active Directory and QAS clients)
Unless specific Domain Controllers are specified during the join, QAS will also need to communicate to the Forest root servers using the following ports:-
- 88 / 389 / 3268
vgptool - ports to domain controllers
- 445 - TCP (CIFS)
NOTE: All these ports are OUTGOING from QAS Clients -> Active Directory. The ports used for communication are allocated by the OS using from the ephemeral port range. No ports incoming ports are opened on the client side.
-
追加情報
More information on the ports used53: If Unix hosts should use DNS to automatically detect the available Domain Controllers, then the ports for using DNS must be open as well. The port used for DNS traffic is usually port 53. The DNS servers used by the Unix hosts must also have the Active Directory DNS SRV records available as well. Both UDP and TCP are used.
88: This is the port used for doing Kerberos authentication and requesting Kerberos service tickets against Active Directory Domain Controllers. TCP is now used by default.
123: Used for NTP for time-synchronization with Active Directory.
389: This the port used for LDAP searches against Active Directory Domain Controllers. TCP is normally used, but UDP is used when detecting the Active Directory site membership.
445: Used to receive Group Policy over CIFS uses TCP.
464: This is the port used for changing and setting passwords against Active Directory using the Kerberos change password protocol. QAS always uses TCP for password operations.
3268: This is the port used for LDAP searches against Active Directory Global Catalogs. TCP is always used when searching against the Global Catalog.