RE: Kerberos authentication from FE to BE

  • From: "Mulnick, Al" <Al.Mulnick@xxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 18 Nov 2004 16:14:44 -0500

Considering that this server is a member of the domain, yes you would have
to allow Kerberos communications as well from the FE to the GC/DC's.  DNS,
etc is also required.  However, the kerberos authentication for the client,
IIRC is done from BE to FE server and then proxied to the domain controllers
so you would have that allowed from FE to BE as well.  It's been a while
since I last looked at this in depth, but you could probably get absolute
clarification faster if you look at the logs on the firewall for what's
being attempted. 

Best bet is not to put Exchange or domain members in the DMZ in the first
place.  Better to just leave them internal and use ISA or something similar
to project them into the DMZ. Any layer-7 firewall device that understands
the communications and can terminate SSL should be fine. Much simpler, more
reliable because of the simplicity and works well in many environments.


-----Original Message-----
From: ravi [mailto:rrb@xxxxxxxxxxx] 
Sent: Thursday, November 18, 2004 3:39 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Kerberos authentication from FE to BE

I have opened all the necessary ports like 389,3268 to DC/GC and 25,80 to
BE. Everything is working well but i see this warning on my FE.
My concern: is opening port 88 to DC enough? or do we have to open 88 to BE
also for kerberos authntication to work?

thanks for your help.

List Archives:
Exchange Newsletters:
Exchange FAQ:
Other Internet Software Marketing Sites:
World of Windows Networking: Leading
Network Software Directory:
No.1 ISA Server Resource Site: Windows Security
Resource Site: Network Security Library: Windows 2000/NT Fax Solutions:
You are currently subscribed to this Discussion List as:
al.mulnick@xxxxxxxxxx To unsubscribe visit
Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts: