5sually, it is desirable to restrict port trac between de-ned security (ones where possible, and map each security (one to a logical C@%8. The following table lists the source and destination (ones or tiers, which are speci-cally identi-ed as such. In the case of a tier, a networ adapter may also be speci-ed &:n'.
Source one Destinat ion
one
*ort O
*rotocol T$*P;D* *ur%ose
Internet $lient Access
*u#lic *erimete
r
In0ormati on
Services
H4 TT* T$* To allow Internet clients to access the $ontoso %u#lic a%%lication and )e# server content over non'encry%ted
TT*+
*u#lic *erimete
r
In0ormati on
Services
<<8 TT*S T$* To allow Internet clients to access the $ontoso %u#lic A%%lication and )e# server content over encry%ted TT*S+
*u#lic *erimete
r Name Services tierP9
8 DNS ;D* To allow Internet clients to look u% the I* address o0 the
$ontoso %u#lic )e# servers through DNS re&uests+
*u#lic *N
tierP9
44 ISA7/* ;D* To allow the ISA7/* to #uild the secure tunnel 0or I*Sec *Ns+
*u#lic *N
tierP9
949 !3T* ;D* To allow %u#lic client workstations to securely
connect to the $ontoso internal network remotely over a *N using !3T*+
*u#lic *N
tierP9
938 **T* T$* To allow %u#lic client workstations to securely
connect to the $ontoso internal network remotely over a *N through **T* using %rotocol ty%e < (@RE"+
*u#lic *N
tierP9
<44 /S I*Sec NAT'T
;D* To allow %u#lic client workstations to securely
Source one Destinat ion
one
*ort O
*rotocol T$*P;D* *ur%ose
connect to the $ontoso internal network remotely over I*Sec through NAT+
All All T$*P;D* No restrictions on tra>c
#etween these external inter0aces+
All All T$*P;D* No restrictions on tra>c
#etween these external inter0aces+
*erimeter In0ormation Services
*u#lic 8 DNS ;D* To allow DNS &ueries to #e initiated 0rom the %erimeter a%%lication and )e# servers to
%u#lic DNS servers+
*erimeter Name Services
*u#lic 8 DNS ;D* To allow DNS &ueries to #e initiated 0rom the %erimeter DNS servers to %u#lic DNS servers+
All All T$*P;D* No restrictions on tra>c
#etween these inter0aces
#ecause they share the same
!AN+
All All T$*P;D* No restrictions on tra>c
#etween these inter0aces
#ecause they share the same
!AN+
All All T$*P;D* No restrictions on tra>c
#etween these inter0aces
#ecause they share the same
!AN+
%erimeter tiers and the S1!
tier+
DT$ T$* Distri#uted Transaction
$oordinator (DT$" statically dened %orts to allow transit through intermediate rewall+
ab (mplementation 5
Source one Destinat ion
one
*ort O
*rotocol T$*P;D* *ur%ose
Services
Network Architecture Blueprint 0or a list o0 commonly allowed
%rotocols+
$ontoso %u#lic a%%lication or )e# server and the internal a%%lication server over non' encry%ted TT*+
$ontoso %u#lic a%%lication or )e# server and the internal a%%lication server over encry%ted TT*S+
H944 Remoter T$* +NET remoter connection allowing sim%le o#Bect access
%rotocol (S:A*" and F/!
#etween the cor%orate a%%lication servers and the
%u#lic a%%lication servers+
*erimeter allow transit through
intermediate rewall+
$ontoso %u#lic A%%lication or )e# server and the internal )e# server over non'encry%ted
TT*+
$ontoso %u#lic a%%lication or )e# server and the Internal )e# server over encry%ted
TT*S+
H944 Remoter T$* +NET remoter connection allowing S:A* and F/!
#etween the cor%orate )e#
servers and the %u#lic a%%lication or )e# servers+
*erimeter allow transit through
intermediate rewall+ (NT*" to transit #etween the
%erimeter directory tier to the domain controller servers in the
Source one Destinat ion
one
*ort O
*rotocol T$*P;D* *ur%ose
cor%orate in0rastructure ?one+
This will allow time synchroni?ation to occur+
*erimeter
<5< 7*SS)D T$* To allow 7er#eros tra>c
#etween the %erimeter directory tier to the domain controller servers in the cor%orate in0rastructure ?one 0or authenticated u%dates+
*erimeter
#etween the %erimeter directory tier to the domain controller servers in the
cor%orate in0rastructure ?one+
*erimeter
tra>c through the intermediate
rewall+
T$*P;D* Re0er to Ta#le 93 in the
Network Architecture Blueprint 0or a list o0 commonly allowed
%rotocols+
RADI;S ;D* RADI;S authentication tra>c 0or veri0ying credentials 0or *N tunnel+ initiate the *N tunnel as re&uired to allow remote
#ranch o>ce client workstations to securely
connect to the $ontoso internal network remotely over a *N through **T* using %rotocol ty%e < (@RE"+ Note that this
*N tunnel may #e initiated #y either the #ranch o>ce or the site'to'site *N and the tunnel will only #e authori?ed i0 the remote site has a valid authentication certicate+ initiate the *N tunnel as re&uired to allow remote
#ranch o>ce client workstations to securely
connect to the $ontoso internal network remotely over a *N using !3T*+ Note that this *N tunnel may #e initiated #y either the #ranch o>ce or the site'to'site *N and the tunnel will only #e authori?ed i0 the
ab (mplementation
Source one Destinat ion
one
*ort O
*rotocol T$*P;D* *ur%ose
remote site has a valid authentication certicate+ initiate the *N tunnel to allow remote #ranch o>ce client workstations to securely
connect to the $ontoso internal network remotely over I*Sec through a NAT+ Note that this
*N tunnel may #e initiated #y either the #ranch o>ce or the site'to'site *N and the tunnel will only #e authori?ed i0 the remote site has a valid authentication certicate+ use ISA7/* to #uild the secure tunnel 0or I*Sec *Ns+ Note that this *N tunnel may #e
initiated #y either the #ranch o>ce or the site'to'site *N+
*erimeter remotely administer the
%erimeter management servers through Terminal Services or Remote Deskto% $onnection+
:nce logged in using Terminal Services, the administrator can connect to other *erimeter servers directly attached to the
$*6 !AN+
#etween the %erimeter and internal management servers 0or intercommunication, such as S:A* (see also %ort H944"+
*erimeter to traverse #etween the
%erimeter and internal
management servers 0or server conguration access+
*erimeter transit #etween the internal servers and the management servers+ This undened high
%ort is used #y the
T$* To allow #acku% so0tware tra>c to ow #etween the internal
#acku% servers and the
%erimeter #acku% servers+ The
#acku% uses high range %orts to accom%lish the trans0er+ The
Source one Destinat ion
one
*ort O
*rotocol T$*P;D* *ur%ose
dened %orts are exclusive to the %erimeter #acku% scheme+
Internal $or%orate Access
S1! *erimete
#etween the read'only S1!
Server com%uters and the
%erimeter a%%lication servers 0or content+
#etween the read'only S1!
Server com%uters 0or
intercommunication, such as S:A* (see also %ort H944"+
S1! *erimete
r
A%%licati on tierP3
<<8 TT*S T$* To allow encry%ted TT*S tra>c to traverse #etween the
internal and external %roxies 0or server conguration access+
S1! *erimete allow transit through
intermediate rewall+
S1! *erimete
r
A%%licati on tierP3
H944 Remoter T$* +NET remoter connection allowing S:A* and F/!
#etween the internal S1!
Server com%uters and the
%u#lic a%%lication servers+
S1! *erimete 0or a list o0 commonly allowed
%rotocols+
#etween the cor%orate )e#
server and the a%%lication servers 0or intercommunication, such as S:A* (see also %ort H944"+ to traverse #etween cor%orate )e# server and the a%%lication server 0or intercommunication+
$or%orate allow transit through
intermediate rewall+
H944 Remoter T$* +NET remoter connection allowing S:A* and F/!
#etween the internal )e#
servers and the internal a%%lication servers+
$or%orate Data#ase,
Internal A%%licati
H4 TT* T$* To allow TT* tra>c to traverse
#etween the cor%orate servers
ab (mplementation 7
Source one Destinat ion
one
*ort O
*rotocol T$*P;D* *ur%ose
$or%orate /anagement,
$or%orate In0rastructure
on tierP3 and the a%%lication servers 0or
intercommunication, such as S:A* (see also %ort H944"+
$or%orate to traverse #etween cor%orate servers and the a%%lication server 0or intercommunication+
$or%orate allow transit through
intermediate rewall+
H944 Remoter T$* +NET remoter connection allowing S:A* and F/!
#etween the cor%orate servers and the internal a%%lication servers+
Network Architecture Blueprint 0or a list o0 commonly allowed
%rotocols+ the rewall, s%ecic %orts must
#e s%ecied 0or $A tra>c+ -or more details, re0er to the 0ollowing ;R!C
#etween the internal and external %roxy servers 0or intercommunication, such as S:A* (see also %ort H944"+
$or%orate to traverse #etween the
internal and external %roxies 0or server conguration access+
$or%orate internal and external %roxies+
$or%orate
9H58 /SN* T$*P;D* Allow )indows /essenger tra>c #etween the internal and external %roxies+
$or%orate External $om ' T$*P;D* Re0er to Ta#le 93 in the
Source one Destinat ion
one
*ort O
*rotocol T$*P;D* *ur%ose
In0rastructure 0or a list o0 commonly allowed
%rotocols+
Network Architecture Blueprint 0or a list o0 commonly allowed
%rotocols+
#etween the cor%orate S1! and management servers and the )e# servers 0or
intercommunication, such as S:A* (see also %ort H944"+
$or%orate to traverse #etween the
cor%orate S1! and
management servers and the )e# servers 0or
intercommunication+
Network Architecture Blueprint 0or a list o0 commonly allowed
%rotocols+
#etween the cor%orate A%%lication servers and the Internal )e# server 0or intercommunication, such as S:A* (see also %ort H944"+
$or%orate to traverse #etween cor%orate a%%lication servers and the internal )e# servers 0or intercommunication+ allow transit through
intermediate rewall+
H944 Remoter T$* +NET remoter connection allowing S:A* and F/!
#etween the cor%orate a%%lications servers and the
%u#lic a%%lication servers+
S:A* is an o%en standards'
#ased intero%era#ility %rotocol that uses F/! to %rovide a common messaging 0ormat to link together a%%lications and services anywhere on the Internet+
ab (mplementation 3
Source one Destinat ion
one
*ort O
*rotocol T$*P;D* *ur%ose
Internal S1! Internal )e#
tierP3
9<88 '8<
S1! T$*P;D* To allow S1! tra>c to the #ack' end inter0ace o0 the internal )e# server+ This s%ecic !AN segment is isolated 0or
data#ase tra>c only to ooad the tra>c 0rom the 0ront'end
!AN segment+
Internal S1! Internal A%%licati ons tierP3
9<88 '8<
S1! T$*P;D* To allow S1! tra>c to the #ack' end inter0ace o0 the Internal a%%lications server+ This s%ecic !AN segment is isolated 0or data#ase tra>c only to ooad the tra>c 0rom the 0ront'end !AN segment+
$or%orate
#etween the cor%orate servers and the internal )e# server 0or intercommunication, such as S:A* (see also %ort H944"+
$or%orate to traverse #etween the
cor%orate servers and the internal )e# servers 0or intercommunication+ allow transit through
intermediate rewall+
H944 Remoter T$* +NET remoter connection allowing S:A* and F/!
#etween the cor%orate servers and the internal )e# server+
$or%orate
Network Architecture Blueprint 0or a list o0 commonly allowed
%rotocols+
T$*P;D* To allow #acku% so0tware tra>c to ow #etween the internal
#acku% servers and the
%erimeter #acku% servers+ The
#acku% uses high range %orts to accom%lish the trans0er+ The dened %orts are exclusive to the %erimeter #acku% scheme+
Source one Destinat ion
one
*ort O
*rotocol T$*P;D* *ur%ose
$or%orate 0or a list o0 commonly allowed
%rotocols+
T$*P;D* To allow #acku% so0tware tra>c to ow #etween the Internal servers and the Internal 6acku%
servers+ The #acku% uses high range %orts to accom%lish the trans0er+ The dened %orts are exclusive to the internal #acku%
scheme+ 0or a list o0 commonly allowed
%rotocols+ to ow #etween the internal certicate server and the internal a%%lications and )e#
servers+ To allow D$:/ tra>c through the rewall, s%ecic
%orts must #e s%ecied 0or $A tra>c as %er the 7nowledge 6ase article availa#le atC
www+microso0t+comPcomPw%a%e
T$*P;D* Re0er to Ta#le 93 in the
Network Architecture Blueprint 0or a list o0 commonly allowed
%rotocols+ internal S1! Server com%uters and the internal cor%orate servers+ 0or a list o0 commonly allowed
%rotocols+
ab (mplementation 3
Source one Destinat ion
one
*ort O
*rotocol T$*P;D* *ur%ose
Internal
#etween the cor%orate servers and the internal management servers 0or intercommunication, such as S:A* (see also %ort H944" and #asic conguration+
$or%orate to traverse #etween cor%orate servers and the internal
management servers 0or intercommunication+ transit #etween the internal servers and the management servers+ This undened high
%ort is used #y the 0or a list o0 commonly allowed
%rotocols+ the %rint servers+
$or%orate tra>c to transit #etween the internal servers and the le and
%rint servers+
Source one Destinat ion
one
*ort O
*rotocol T$*P;D* *ur%ose
$or%orate 0or a list o0 commonly allowed
%rotocols+
RADI;S ;D* Return RADI;S authentication tra>c 0or veri0ying credentials 0or *N tunnel+
$or%orate 0or a list o0 commonly allowed
%rotocols+ external %roxy server to the Internet only when initiated 0rom internal cor%orate servers+
$or%orate internal $or% servers through the external %roxy server out#ound to the Internet+
$or%orate
#etween the cor%orate servers and the external %roxy servers 0or intercommunication, such as S:A* (see also %ort H944"
and #asic conguration+
$or%orate to traverse #etween cor%orate servers and the Internal
management servers 0or intercommunication+ 0or a list o0 commonly allowed
%rotocols+
Internal $lient Access
$lient Internal
A%%licati on tierP9
H4 TT* T$* To allow TT* tra>c to traverse
#etween the clients and the Internal a%%lication servers 0or intercommunication+
ab (mplementation 35
S
$lliieenntt IInntteerrnnaall A%%licati to traverse #etween clients and to traverse #etween clients and the internal a%%lication servers the internal a%%lication servers 0or intercommunication+
0or intercommunication+
$
$lliieenntt IInntteerrnnaall A%%licati allow transit through
allow transit through intermediate rewall+
intermediate rewall+
$
$lliieenntt IInntteerrnnaall A%%licati allowing S:A* and F/!
allowing S:A* and F/!
#etween the clients and the
#etween the clients and the internal a%%lication servers+
internal a%%lication servers+
$
$lliieenntt IInntteerrnnaall A%%licati
Network Architecture Blueprint Network Architecture Blueprint 0or a list o0
0or a list o0 commonly allowedcommonly allowed
%rotocols+
%rotocols+
$
$lliieenntt IInntteerrnnaall )e# tra>c to traverse #etween the tra>c to traverse #etween the clients and the internal
clients and the internal a%%lication servers 0or a%%lication servers 0or intercommunication+
intercommunication+
$
$lliieenntt IInntteerrnnaall )e# to traverse #etween clients and to traverse #etween clients and the internal a%%lication servers the internal a%%lication servers 0or intercommunication+
0or intercommunication+
$
$lliieenntt IInntteerrnnaall )e# allow transit through
allow transit through intermediate rewall+
intermediate rewall+
$
$lliieenntt IInntteerrnnaall )e# allowing S:A* and F/!
allowing S:A* and F/!
#etween the clients and the
#etween the clients and the internal a%%lication servers+
internal a%%lication servers+
$
$lliieenntt IInntteerrnnaall )e#
Network Architectu Architecture Blueprinre Blueprint t 0or a list o0
0or a list o0 commonly allowedcommonly allowed
%rotocols+
%rotocols+
$
$lliieenntt IInntteerrnnaall S1! internal S1! Server com%uters internal S1! Server com%uters and the clients+
and the clients+
$
$lliieenntt IInntteerrnnaall S1! allow transit through
allow transit through intermediate rewall+
intermediate rewall+
$
$lliieenntt IInntteerrnnaall S1!
Network Architectu Architecture Blueprinre Blueprint t 0or a list o0
0or a list o0 commonly allowedcommonly allowed
%rotocols+
%rotocols+
$
$lliieenntt IInntteerrnnaall Directory remote" to ac&uire a D$*
remote" to ac&uire a D$*
lease address+
lease address+
S
$lliieenntt IInntteerrnnaall Directory
Network Architecture Blueprint Network Architecture Blueprint 0or a list o0
0or a list o0 commonly allowedcommonly allowed
%rotocols+
#etween the clients and the
#etween the clients and the
%erimeter management servers
%erimeter management servers 0or intercommunication+
0or intercommunication+
$ to traverse #etween clients and to traverse #etween clients and the %erimeter
the %erimeter managementmanagement servers 0or intercommunication+
servers 0or intercommunication+
$ transit #etween the clients and transit #etween the clients and the management servers+ This the management servers+ This undened high %ort is used #y undened high %ort is used #y the management so0tware+
the management so0tware+
$
Network Architectu Architecture Blueprinre Blueprint t 0or a list o0
0or a list o0 commonly allowedcommonly allowed
%rotocols+
%rotocols+
$
$lliieenntt IInntteerrnnaall /anage
#etween the clients and the
#etween the clients and the internal management servers internal management servers 0or intercommunication+
0or intercommunication+
$
$lliieenntt IInntteerrnnaall /anage to traverse #etween clients and to traverse #etween clients and the internal management the internal management
servers 0or intercommunication+
servers 0or intercommunication+
$
$lliieenntt IInntteerrnnaall /anage transit #etween the clients and transit #etween the clients and the management servers+ This the management servers+ This undened high %ort is used #y undened high %ort is used #y the management so0tware+
the management so0tware+
$
$lliieenntt IInntteerrnnaall /anage
Network Architectu Architecture Blueprinre Blueprint t 0or a list o0
0or a list o0 commonly allowedcommonly allowed
%rotocols+ the %rint servers+
the %rint servers+
$ tra>c to transit #etween the tra>c to transit #etween the clients and the le and %rint clients and the le and %rint servers+
servers+
$
$lliieenntt --iille e aannd d $$oomm '' TT$$**PP;;DD** RRee00eer r tto o TTaa##lle e 993 3 iin n tthhee
ab
ab (mplementation (mplementation 33
S
Network Architecture Blueprint Network Architecture Blueprint 0or a list o0
0or a list o0 commonly allowedcommonly allowed
%rotocols+
%rotocols+
$
$lliieenntt IInntteerrnnaall
*roxy
%roxy server only when
%roxy server only when
initiated 0rom internal clients+
initiated 0rom internal clients+
$
$lliieenntt IInntteerrnnaall
*roxy
#etween the clients and the
#etween the clients and the external %roxy servers 0or external %roxy servers 0or intercommunication+
intercommunication+
$
$lliieenntt IInntteerrnnaall
*roxy to traverse #etween clients and to traverse #etween clients and the external %roxy servers 0or the external %roxy servers 0or intercommunication+
intercommunication+
$
$lliieenntt IInntteerrnnaall
*roxy tra>c #etween the clients and tra>c #etween the clients and the internal %roxies+
the internal %roxies+
$
$lliieenntt IInntteerrnnaall
*roxy to ow #etween the internal to ow #etween the internal certicate server and the certicate server and the clients+ To allow D$:/ tra>c clients+ To allow D$:/ tra>c through the rewall, s%ecic through the rewall, s%ecic
%orts must #e s%ecied 0or $A
%orts must #e s%ecied 0or $A tra>c as %er the 7nowledge tra>c as %er the 7nowledge 6ase article availa#le atC 6ase article availa#le atC
www+microso0t+comPcomPw%a%e www+microso0t+comPcomPw%a%e rPdcom0w+as%
rPdcom0w+as%
$
$lliieenntt IInntteerrnnaall
*roxy
Network Architectu Architecture Blueprinre Blueprint t 0or a list o0
0or a list o0 commonly allowedcommonly allowed
%rotocols+ initiate the *N tunnel as initiate the *N tunnel as re&uired to allow remote re&uired to allow remote
#ranch o>ce client
#ranch o>ce client workstation
workstations s to securelyto securely
connect to the $ontoso internal connect to the $ontoso internal network remotely over a *N network remotely over a *N through **T* using %rotocol through **T* using %rotocol ty%e < (@RE"+ Note that this ty%e < (@RE"+ Note that this
*N tunnel may #e initiated #y
*N tunnel may #e initiated #y either the #ranch o>ce or the either the #ranch o>ce or the site'to'site *N and the tunnel site'to'site *N and the tunnel will only #e authori?ed i0 the will only #e authori?ed i0 the remote site has a valid remote site has a valid authentic
authentication ation certicate+certicate+
6 initiate the *N tunnel as initiate the *N tunnel as re&uired to allow remote re&uired to allow remote
#ranch o>ce client
#ranch o>ce client
Source one Destinat
Source one Destinat