TS connect to a License Server from DMZ

[Dag]

Hi, what needs to be done for the following scenario:

A web server in DMZ needs to be setup to use a Terminal Licensing server so
more than 3 people can connect at once. It is not apart of the domain and it
is a firewall between the web server and the licensing server.

I've tried to open up for port 135 and port 5000-5100 in the firewall.
I've set up the rpc dynamic ports to be static on both machines(
http://support.microsoft.com/kb/154596 ).
And rebooted both of them.

But it still can't find the licensing server. What have I missed?


Rgds

Dag

 

[Chuels]

RE: TS connect to a License Server from DMZ

Hi Dag,

you will not only need 135 and port 5000-5100 for the generic RPC port.
Additionally you will need:

NetBIOS Datagram Service
UDP
138

NetBIOS Name Resolution
UDP
137

NetBIOS Session Service
TCP
139

SMB
TCP
445

according to Microsoft.

Cheers Carsten

"Dag" wrote:

> Hi, what needs to be done for the following scenario:
>
> A web server in DMZ needs to be setup to use a Terminal Licensing server so
> more than 3 people can connect at once. It is not apart of the domain and it
> is a firewall between the web server and the licensing server.
>
> I've tried to open up for port 135 and port 5000-5100 in the firewall.
> I've set up the rpc dynamic ports to be static on both machines(
> http://support.microsoft.com/kb/154596 ).
> And rebooted both of them.
>
> But it still can't find the licensing server. What have I missed?
>
>
> Rgds
>
> Dag

 

[Dag]

RE: TS connect to a License Server from DMZ

Great! Thanks alot!

"Chuels" wrote:

> Hi Dag,
>
> you will not only need 135 and port 5000-5100 for the generic RPC port.
> Additionally you will need:
>
> NetBIOS Datagram Service
> UDP
> 138
>
> NetBIOS Name Resolution
> UDP
> 137
>
> NetBIOS Session Service
> TCP
> 139
>
> SMB
> TCP
> 445
>
> according to Microsoft.
>
> Cheers Carsten
>
> "Dag" wrote:
>
> > Hi, what needs to be done for the following scenario:
> >
> > A web server in DMZ needs to be setup to use a Terminal Licensing server so
> > more than 3 people can connect at once. It is not apart of the domain and it
> > is a firewall between the web server and the licensing server.
> >
> > I've tried to open up for port 135 and port 5000-5100 in the firewall.
> > I've set up the rpc dynamic ports to be static on both machines(
> > http://support.microsoft.com/kb/154596 ).
> > And rebooted both of them.
> >
> > But it still can't find the licensing server. What have I missed?
> >
> >
> > Rgds
> >
> > Dag

 

[Lanwench [MVP - Exchange]]

Re: TS connect to a License Server from DMZ

Dag <Dag@discussions.microsoft.com> wrote:
> Great! Thanks alot!

Doing this essentially destroys your DMZ and turns that barrier into a
screen door. I wouldn't do it. Rethink your network topology instead -
there's got to be a better way to accomplish what you need.

>
> "Chuels" wrote:
>
>> Hi Dag,
>>
>> you will not only need 135 and port 5000-5100 for the generic RPC
>> port. Additionally you will need:
>>
>> NetBIOS Datagram Service
>> UDP
>> 138
>>
>> NetBIOS Name Resolution
>> UDP
>> 137
>>
>> NetBIOS Session Service
>> TCP
>> 139
>>
>> SMB
>> TCP
>> 445
>>
>> according to Microsoft.
>>
>> Cheers Carsten
>>
>> "Dag" wrote:
>>
>>> Hi, what needs to be done for the following scenario:
>>>
>>> A web server in DMZ needs to be setup to use a Terminal Licensing
>>> server so more than 3 people can connect at once. It is not apart
>>> of the domain and it is a firewall between the web server and the
>>> licensing server.
>>>
>>> I've tried to open up for port 135 and port 5000-5100 in the
>>> firewall.
>>> I've set up the rpc dynamic ports to be static on both machines(
>>> http://support.microsoft.com/kb/154596 ).
>>> And rebooted both of them.
>>>
>>> But it still can't find the licensing server. What have I missed?
>>>
>>>
>>> Rgds
>>>
>>> Dag

 

[Chuels]

Re: TS connect to a License Server from DMZ

Agree to Lanwench - that's why it's not really usefull to have a TS in the
DMZ or in a firewalled Zone, that's why we didn't implement it.

135-139 are well known "security sensitive" ports