Scribd Logo
Upload

Welcome to Scribd!

  • 63 views

    Configure TAC Server Infrastructure

    Uploaded by

    candide kateleka
    The document provides instructions for configuring the network and firewall settings for a TAC server infrastructure. It describes recommended configurations for dual network interface cards including public and private IP addresses. It also lists the specific ports that need to be opened for traffic between TAC servers and backend applications in workgroup and domain joined modes. The document concludes by covering certificate and DNS configurations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Configure TAC Server Infrastructure

    Uploaded by

    candide kateleka
    63 views6 pages
    The document provides instructions for configuring the network and firewall settings for a TAC server infrastructure. It describes recommended configurations for dual network interface cards including public and private IP addresses. It also lists the specific ports that need to be opened for traffic between TAC servers and backend applications in workgroup and domain joined modes. The document concludes by covering certificate and DNS configurations.

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document provides instructions for configuring the network and firewall settings for a TAC server infrastructure. It describes recommended configurations for dual network interface cards including public and private IP addresses. It also lists the specific ports that need to be opened for traffic between TAC servers and backend applications in workgroup and domain joined modes. The document concludes by covering certificate and DNS configurations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    63 views6 pages

    Configure TAC Server Infrastructure

    Uploaded by

    candide kateleka
    The document provides instructions for configuring the network and firewall settings for a TAC server infrastructure. It describes recommended configurations for dual network interface cards including public and private IP addresses. It also lists the specific ports that need to be opened for traffic between TAC servers and backend applications in workgroup and domain joined modes. The document concludes by covering certificate and DNS configurations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 6

    Configure TAC Server Infrastructure

    Configuring TAC Server Network Settings.


    The following network settings are required for a standalone server deployment.
    All IP addresses are configured using the change adapter settings in the Network
    and Sharing center utility.

    TAC in public facing topology


    Two Network Interface cards are recommended.
    At least 1 static public IP on public facing interface
    At least 1 static private IP for internal facing network

    The recommended network configuration for dual NIC environment is as follows:

    Network Properties Public Interface Private Interface


    Static IP address Yes Yes
    Gateway Yes No

    DNS No Yes

    In a 2 NIC topology scenario, it is advisable to do initial TAC server preparation by


    configure Internal NIC first and add the server to domain before add secondary NIC.
    (public facing NIC).

    Some of our customer network scenarios are not falling to proper network profiles
    (domain for internal NIC & public for external NIC) that may cause communication
    issues when TAC is in array.

    TAC behind Firewall /NAT device


    1 Network Interface card connected to the private network.
    At least 1 static private IP address
    An Internal DNS infrastructure with forwarders can be used for public name
    resolution.
    Configure server domain settings.
    Running TAC in workgroup mode.

    Note - Portsys does not recommend using TAC in workgroup mode. It


    works best when joined to a domain.

    TAC will work as an independent server in the network. When it is in the DMZ, it is
    possible to leave it as a workgroup computer. Here are some limitations when
    using TAC is in the workgroup:

    Not able to do NTLM authentication for external clients


    No VPN application
    No FileAccess

    TAC in Domain mode

    A Domain joined TAC server supports all of the TAC operations.

    Use system properties to join the TAC server to the domain. The TAC server name
    must set before applying the TAC license as changing server name will require the
    request of new license key from PortSys.

    Configuring Internal/ External Firewalls between TAC Servers and back-


    end application servers.

    When the TAC server is behind a firewall or placed in a internal/external DMZ, the
    following firewall ports are required to be to open

    Workgroup Mode

    Source Destination Port Description

    Outside Access to
    Internet TAC Server 443 Portal

    Outside Access to
    Internet TAC Server 80 Portal
    TAC Internal TCP & UDP TAC to AD server
    Server subnet 389 lookups

    TAC Internal TCP & UDP


    Server subnet 53 TAC DNS lookups

    TAC Internal
    Server Subnet TCP 3268 LDAP GC

    TAC Internal TCP and


    Server Subnet UDP 88 Kerberos

    Domain Joined

    Protocol /
    Source Destination Port Description

    TAC Server Outside Access to


    Internet External IP 443 Portal

    TAC Server Outside Access to


    Internet External IP 80 Portal

    TAC TCP & UDP TAC to AD server


    Server AD Server IP 389 lookups

    TAC DNS Server TCP & UDP


    Server IP 53 TAC DNS lookups

    TAC AD/GC
    Server Server IP TCP 3268 LDAP GC

    TAC AD/GC
    Server Server IP TCP 636 Secure LDAP

    TAC AD/GC
    Server Server IP TCP 3269 Secure LDAP GC
    SMB,CIFS,SMB2,
    DFSN, LSARPC, NbtSS,
    TAC AD/DC TCP & UDP NetLogonR, SamR,
    Server Server IP 445 SrvSvc

    TAC AD/DC
    Server Server IP TCP 135 RPC, EPM

    RPC, DCOM, EPM,


    TAC AD/DC TCP DRSUAPI, NetLogonR,
    Server Server IP Dynamic SamR, FRS

    TAC AD/DC
    Server Server IP TCP 5722 RPC, DFSR (SYSVOL)

    TAC AD/Time
    Server Server IP UDP 123 Windows Time

    TAC AD/DC TCP & UDP Kerberos change/set


    Server Server IP 464 password

    TAC AD/DC UDP


    Server Server IP Dynamic DCOM, RPC, EPM

    DFSN, NetLogon,
    TAC AD/DC NetBIOS Datagram
    Server Server IP UDP 138 Service

    TAC AD/DC
    Server Server IP UDP 9389 SOAP
    TAC DHCP UDP 67 &
    Server Server IP UDP 2535 DHCP, MADCAP

    TAC AD/DC TCP and


    Server Server IP UDP 88 Kerberos

    More information can be found here: https://technet.microsoft.com/en-


    us/library/dd772723(v=ws.10).aspx

    Additional Ports may need to open based on the application published needs.

    TAC in Array

    * If TAC array nodes are placed behind firewalls following additional ports needs to
    open apart to above ports in domain joined

    Source Destination Protocol /Port Description


    TAC manager TAC member
    internal IP internal IP and TAC server
    TCP 2070 -2080
    and TAC member TAC manager Communication
    internal IP internal IP
    TAC manager TAC member TCP / 1025 - RPC Dynamic
    internal IP internal IP 5000 ports range for
    and TAC member and TAC manager TCP / 49152 - service
    internal IP internal IP 65535 communication

    TAC manager TAC member


    internal IP internal IP RPC endpoint
    TCP 135
    and TAC member and TAC manager mapper service
    internal IP internal IP

    The above ports and ranges should be opened between all servers in the array in
    both directions.
    Configuring Certificate

    TAC requires a publicly resolvable certificate to be installed on the TAC server for
    secure communication.

    A SSL certificate is required on the TAC server. The certificate must be issued by
    public certification authority (CA).

    You may need to add multiple certificates for different applications that have
    alternate public host names.

    Further, you may need to install certificates on endpoints to trust the connectivity
    between endpoints and TAC Gateway. If you publish generic client server
    application or VPN or RDP application where the TAC client component is involved,
    you will need to install trusted system certificate on endpoints.

    If you use a self-signed certificate (issued by a custom CA) for the TAC site, the CA
    that issued cert has to be added to Trusted Root Certificate Authority under Local
    Computer on the end-point in order for the the TAC Client Services to work
    properly.

    Configuring DNS

    The Administrator has to register the TAC Site’s public host name(s) in their public
    DNS authority to access the TAC Portal from the internet. If TAC has multiple sites
    configured, those sites need to register in the DNS with the respective IPs.

    You might also like