Configuring Domain Trusts Across a Firewall
Here are some of the ports that you will need to open (on both ends) if you want to configure a domain trust across the firewall.
The following ports need to be opened if you have once of the following:
1. A mixed mode domain with either NT domain controllers or legacy clients
2. Trust relationship between two Win2K-based or between two Win2K3-based domain controllers that are not in the same forest
In addition, you should also allow Internet Control Message Protocol (ICMP). This is necessary for Active Directory to work properly. Clients will use ICMP across the firewall to receive Group Policies. ICMP is used to determine whether the link is slow or a fast link, which is a setting you can configure in a Group Policy. ICMP is also used to detect Maximum Transfer unit (MTU). Because ICMP is directly hosted by the IP layer it doesn’t use a specific TCP or UDP port. What you need to do is to configure the firewall to allow ICMP but for security purposes you can always configure the firewall to allow ICMP only from the clients to the the domain controller’s IP.
Needless to say, you can always configure a Virtual Private Network (VPN) across the Internet or across a firewall so you don’t have to open so many ports. For PPTP you will configure TCP Port 1723 and Protocol ID 47 (GRE). On the client side you need to open TCP ports 1024-65535.
There are a few additional things that you need to know. Microsoft addresses these in a KB article Q179442.
