In those instances, where the traffic from the Juniper IVE is filtered by the Firewall before it can reach the Authentication Servers ( i.e. DMZ to Internal LAN) , we need to open a few ports in the firewall, so that the communication can go on uninterrupted.
Problem or Goal:
What are the ports that we need to open in the firewall (Route: DMZ to Internal LAN), so that the communication can go on uninterrupted for authentication purposes.
We need to open ports for LDAP / CLDAP - 389 and LDAPs - 636.
We need to open ports for SMB. This protocol is used to carry information between Juniper IVE and the domain controller. In Windows NT, it ran on NetBIOS which is known to work on ports: 135 to 139. So, we need to open the ports: 135 to 139 in the firewall.
Additionally, Microsoft has added a possibility that SMB might work on port 445 for Windows 2000, XP, and 2003.
You need to open all TCP / UDP ports - 1024 to 65535, so that users / IVE can take any dynamic ports to form sockets and to successfully communicate with the Active Directory.