My GPO(Group Policy Object) is being blocked by my ACL

Question

My GPO(Group Policy Object) is being blocked by my ACL

Amiel 1

Hi all, I can't seem to find a way to allow my GPO to pass through my core router(which has ACL running). I was able to determine that the cause of this was the packets were being blocked by the ACL because if I remove the ACL on the VLAN, the GPO takes effect on the client PC going to my servers.

here are the ACL commands I used in my lab environment, most of them are for AD

permit udp any eq bootpc any eq bootps
permit icmp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 echo-reply
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 138
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 138
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 137
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 137
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 138
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 138
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 636
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 636
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 636
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 636
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 445
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 445
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 445
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 445
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 464
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 464
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 464
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 464
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 123
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 88
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 389
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq domain
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq telnet
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 123
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 445
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 88
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 389
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq domain
permit icmp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 echo-reply
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq domain
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq domain
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 389
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 389
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 123
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 123
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 88
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 88
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 135
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 135
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3268
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 3268
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 25
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 25
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3269
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 3269
permit tcp any any eq 443

Note: (10.10.100.0 is my server network and 10.10.20.0 is my Client pc network.)

All of this is from my lab environment.

Daisy Zhou 12,921 Reputation points Microsoft Employee

2020-09-07T08:39:44.207+00:00

Hello @Amiel ,

Good day!

How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Daisy Zhou 12,921 Reputation points Microsoft Employee

2020-09-09T08:22:15.687+00:00

Hello @Amiel ,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Again thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Daisy Zhou 12,921 Reputation points Microsoft Employee

2020-09-07T08:39:44.207+00:00

Hello @Amiel ,

Good day!

How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Daisy Zhou 12,921 Reputation points Microsoft Employee

2020-09-09T08:22:15.687+00:00

Hello @Amiel ,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Again thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 1

Daisy Zhou 12,921 Microsoft Employee

Hello @Amiel ,

Thank you for posting here.

We can check whether all the ports AD required are open through the ACL on the VLAN.

If no, we can remove the related entries of the ACL on the VLAN.

And then check if the GPO takes effect on the client PC.

For AD ports requirements, we can refer to the links below.

Active Directory and Active Directory Domain Services Port Requirements
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN

Active Directory Replication over Firewalls
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727063(v=technet.10)?redirectedfrom=MSDN

Hope the information above is helpful.

Best Regards,
Daisy Zhou

Amiel 1 Reputation point

2020-09-03T14:27:53.193+00:00

Hi Daisy,

It seemed like my issue is that my client pc which resides on 10.10.20.0 network is unable to request for a policy to my server, Even with all the ports enabled my client is still not able to request for a GPO to the server. I am not sure as to which port should I still try to enable.
Amiel 1 Reputation point

2020-09-03T14:34:28.013+00:00

by the way @Daisy Zhou do you have an idea which port is used here for the GPO? its saying that it has dynamic TCP and UDP

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN
Daisy Zhou 12,921 Reputation points Microsoft Employee

2020-09-04T05:47:43.903+00:00

Hello @Amiel ,

Thank you for your update.

We can check the following ports on ACL so that the traffice can pass from client to Domain Controller （I mean the traffice does not block by ACL on router.）.

Best Regards,
Daisy Zhou

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

My GPO(Group Policy Object) is being blocked by my ACL

1 answer

Activity