DCE-RPC for Active Directory Traffic

Forum|Forum|11 months ago
July 12, 2025
1 reply
2042 views

I am using Fortigate Firewalls between Windows clients and domain controllers. In this case by allowing DCE-RPC, does the firewall allow the required return sessions without allowing dynamic port range? What are the requirements like firmware, IPS etc?

FortiGate

Best answer by funkylicious

config firewall service group
edit "Windows AD"
set member "DCE-RPC" "DNS" "KERBEROS" "LDAP" "LDAP_UDP" "SAMBA" "SMB"
next
end

L.E. i think once or twice i had to create a custom port range, 1024-65535 for TCP , but if any other ports are required, usually you can catch them in a deny rule which logs traffic or doing a debug.

sjoshi

Staff

Hi ataro,

You may refer below article:-

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DCE-RPC-session-helper/ta-p/198374

Thanks, Salon

ataroAuthor

Explorer II

As per the article it seems like FG will allow dynamic traffic. Is there anyone practically implemented this for Windows systems between Domain Controller and Clients? That is, without allowing dynamic port range, all functionalities work fine for Active Directory?.

funkylicious

SuperUser

from my experience, using the service group built-in/default Windows AD is enough for devices to communicate with the DC.

"jack of all trades, master of none"

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded