Front End In DMZ

[micon55]

Please could anyone help with the following;
Am trying to get connectivity between a FE Server in DMZ and Domain Controller inside firewall. Says no domain controller is available. Works OK if I connect FE Server internally.
I have included our firewall config below and would appreciate if someone who has had success could look at it and tell me if it is wrong.

Where
172.16.4.25 - Domain Controller
172.16.4.49 - Back End Exch Server
212.121.0.235 - Front end Server in DMZ.


PIX Version 5.0(3)

fixup protocol http 80
fixup protocol smtp 25

* * * * * * * * * * * *

static (dmz40,outside) 212.121.0.192 212.121.0.192 netmask 255.255.255.192 0 0
static (inside,outside) 212.121.4.5 172.16.4.30 netmask 255.255.255.255 0 0
static (inside,dmz40) 212.121.0.235 212.121.0.235 netmask 255.255.255.255 0 0

* * * * * * * * * * * *

conduit permit icmp any any

* * * * * * * * * * * *

conduit permit tcp host 172.16.4.25 eq domain host 212.121.0.235
conduit permit udp host 172.16.4.25 eq domain host 212.121.0.235
conduit permit tcp host 172.16.4.25 eq 135 host 212.121.0.235
conduit permit tcp host 172.16.4.25 eq 389 host 212.121.0.235
conduit permit udp host 172.16.4.25 eq 389 host 212.121.0.235
conduit permit tcp host 172.16.4.25 eq 445 host 212.121.0.235
conduit permit tcp host 172.16.4.25 eq 3268 host 212.121.0.235
conduit permit tcp host 172.16.4.25 eq 5000 host 212.121.0.235
conduit permit udp host 172.16.4.25 eq 5000 host 212.121.0.235
conduit permit udp host 172.16.4.25 eq 88 host 212.121.0.235
conduit permit tcp host 172.16.4.25 eq 88 host 212.121.0.235
conduit permit tcp host 172.16.4.49 eq

http://www host

212.121.0.235
conduit permit tcp host 172.16.4.49 eq 143 host 212.121.0.235
conduit permit tcp host 172.16.4.49 eq pop3 host 212.121.0.235
conduit permit tcp host 172.16.4.49 eq smtp host 212.121.0.235
conduit permit tcp host 172.16.4.49 eq 691 host 212.121.0.235
conduit permit tcp host 172.16.4.49 eq 389 host 212.121.0.235
conduit permit udp host 172.16.4.49 eq 389 host 212.121.0.235
conduit permit tcp host 172.16.4.49 eq 3268 host 212.121.0.235
conduit permit tcp host 172.16.4.49 eq domain host 212.121.0.235
conduit permit udp host 172.16.4.49 eq domain host 212.121.0.235
conduit permit tcp host 172.16.4.49 eq 50 host 212.121.0.235
conduit permit tcp host 172.16.4.49 eq 51 host 212.121.0.235
conduit permit tcp host 172.16.4.49 eq 135 host 212.121.0.235
conduit permit tcp host 212.121.0.235 eq smtp any
conduit permit tcp host 212.121.0.235 eq smtp any
conduit permit tcp host 212.121.0.235 eq smtp any

Port 5000 has also been configured on the DC as a TCP/IP registry mapping.

Many Thanks for any help.
Mike

 

[xmsre]

pass icmp also, or turn off the wLDAP ping protocol via the registry.

http://support.microsoft.com/default.aspx?scid=kb;en-us;320529

 

[micon55]

Thanks for the reply. Spent a lonf time trying to get this to work with no joy.
Am now looking for an alternative, probably ISA server as a forwarder.
Thanks again.
Mike

 

[xmsre]

With ISA, it's simple to publish OWA. The only problem I have had with ISA is that you have to edit the filter for SMTP.