See last paragraph for main question...
This article http://support.microsoft.com/kb/179442#method2 lists the ports that need to be open "for domains and trusts", but it's not clear to me which machines need to access which services.
Take for example, domainA.net on network A has an outgoing one-way external trust to domainB.net on network B, networks separated by a firewall, even if I identify which of the mentioned services is running on each domain controller and each resource hosting
machine on network/domain A (trusting domain), which computers in network/domain B need to access those services?
I can understand that if I have a file share in domain A, I need to create a firewall allowance of inbound to ShareHost.DomainA.net 445/TCP from any computer in network B 1024-65535/TCP. But to access that file share, which computers need to also access a domain controller and which ports/services on the domain controller? Does my sharing host need to access the domain controllers on DomainB.net in order to setup permissions to users there and service file requests?
Even just talking about domain controllers, I wouldn't think that I should need to allow anything from network B to access the port 445/TCP on any domain controller of domain A, right? What about the other services? (assuming servers could be Windows Server
2003/R2 or Server 2008 R2 and clients could by those server verions or Windows XP or 7)
W32Time - no
RPC Endpoint Mapper - ?
kerberos password change - no?
RPC for LSA, SAM, Netlogon - just domain controllers on domain B or all computers?
LDAP - just domain controllers on domain B or all computers?
LDAP GC - just domain controllers on domain B or all computers?
DNS - I guess I can just restrict that to other DNS servers and use recursion anyway
FRS RPC - file replication service, that won't be needed by anything
Kerberos - ?
DFSR RPC - no
FRS RPC - no
So, does anyone have any suggestions here? Is that article really going to help me or do I need to know the intimate details of every protocol and interaction in order to configure a firewall? How is this usually done? Just allow anything of port 1024 and up to access anything in both directions and allow anything going to the other ports to the servers hosting those services from anything?
Thanks to anyone who can make this simple.