I'm setting up a frontend/backend and trying to limit the number of ports
needed between the front and back. The frontend will be placed in a DMZ,
the backup on the internal LAN. I'm considering using IPSec which according
to the MSFT document, says you need to open 50, 51, 500, (AH ESP IKE) and 88
(kerberos) between the front and back.
I installed Network Monitor (the OS included, not SMS version) and all
traffic from the front to the back is over ESP. I did notice that the
frontend also trades pings with a domain controller (different system than
the backend). I believe this is the DSA ping referred to in the MSFT
document and can be disabled in the registy. I did not notice any other
traffic going from the frontend to the domain controller (although I have
only tested for a handful of hours so far).
I was wondering what ports are needed for the frontend to communicate with a
domain controller (dns, kerberos, ldap?). At the very least, the system
will need to communicate with a DC for its domain membership.
Also, has anyone implented this type of solution, and if so, what are your
thoughts on it?