authentication LDAP IN DMZ

Unless you want to be really tight with your rules, I would allow all traffic to flow FROM your DC to your host on the DMZ.

Now coming back the way, this would be where you tighten the rules and only allow that host to contact the DC on certain ports (see below) for authentication etc

• UDP Port 88 for Kerberos authentication
• UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
• TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
• UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
• TCP and UDP Port 445 for File Replication Service
• TCP and UDP Port 464 for Kerberos Password Change
• TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
• TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

Opening above ports in Firewall between client computers and domain controllers, or between domain controllers, will enable Active Directory to function properly.

You can also specify ephemeral ports to tighten it slightly further if required

Personally and if possible, I would shy away from having any AD connected servers/clients in the DMZ but I do understand that sometimes this isn't possible.

hello Louis-M , Thank you for your reply,
I will try to test this solution,
I have no choice regarding client / server method, we have users who connect to FTP from their home and sometimes they are on mission they are part of the domain.
Thank you.

hello Louis-M , Thank you for your reply,
I will try to test this solution,
I have no choice regarding client / server method, we have users who connect to FTP from their home and sometimes they are on mission they are part of the domain.
Thank you.