- How Terminal Server Access Works Across the Internet
- Using a Firewall to Control Access to the Inside
- Domain Logon Through a Firewall
- About This Article
Domain Logon Through a Firewall
In many cases, you will have your Citrix MetaFrame or Terminal Servers on one side of a firewall and the domain controllers that the users need to authenticate with on the other side of the firewall. If this is the case, you will need to open the following ports between your Terminal or Citrix Servers and the domain controllers:
TCP ports 137, 138, 139These are the standard ports used for both authentication and NetBIOS services browsing for a Windows NT 4.0 domain controller and are fully supported for backward compatibility by Windows 2000 domain controllers. If you are using any version of Terminal Server or Citrix MetaFrame and the users of the server need to authenticate with a domain controller, you need to open these ports up both ways between the domain controllers and the servers.
TCP port 88 Kerberos authenticationWindows 2000 offers an alternative and more secure method of authentication called Kerberos. If you have Windows 2000 Terminal Servers and they are authenticating with a Windows 2000 domain controller, they will use Kerberos authentication by default. If you need for users of these Windows 2000 Terminal Servers to authenticate with a Windows 2000 domain across a firewall, you will need to open up this port.
Trusts and Domain Controller to Domain Controller Traffic
Although beyond the scope of what is covered in this article, if you need to open up communication between two domain controllers across a firewall for either trust relationship traffic or Active Directory traffic, refer to the Microsoft technical article Q179442. You can find additional more detailed coverage of Microsoft port usage in the following technical articles: Q150543, Q174904, and Q176466. You can lookup all of these articles by going to http://support.microsoft.com and entering the article "Q" number in the search window.