This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 39%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi all, I can't seem to find a way to allow my GPO to pass through my core router(which has ACL running). I was able to determine that the cause of this was the packets were being blocked by the ACL because if I remove the ACL on the VLAN, the GPO takes effect on the client PC going to my servers.
here are the ACL commands I used in my lab environment, most of them are for AD
permit udp any eq bootpc any eq bootps
permit icmp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 echo-reply
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 138
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 138
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 137
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 137
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 138
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 138
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 636
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 636
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 636
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 636
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 445
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 445
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 445
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 445
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 464
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 464
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 464
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 464
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 123
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 88
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 389
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq domain
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq telnet
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 123
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 445
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 88
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 389
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq domain
permit icmp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 echo-reply
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq domain
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq domain
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 389
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 389
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 123
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 123
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 88
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 88
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 135
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 135
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3268
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 3268
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 25
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 25
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3269
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 3269
permit tcp any any eq 443
Note: (10.10.100.0 is my server network and 10.10.20.0 is my Client pc network.)
All of this is from my lab environment.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Amiel ,
Good day!
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello @Amiel ,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Again thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello @Amiel ,
Thank you for posting here.
We can check whether all the ports AD required are open through the ACL on the VLAN.
If no, we can remove the related entries of the ACL on the VLAN.
And then check if the GPO takes effect on the client PC.
For AD ports requirements, we can refer to the links below.
Active Directory and Active Directory Domain Services Port Requirements
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN
Active Directory Replication over Firewalls
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727063(v=technet.10)?redirectedfrom=MSDN
Hope the information above is helpful.
Best Regards,
Daisy Zhou
Hi Daisy,
It seemed like my issue is that my client pc which resides on 10.10.20.0 network is unable to request for a policy to my server, Even with all the ports enabled my client is still not able to request for a GPO to the server. I am not sure as to which port should I still try to enable.
by the way @Daisy Zhou do you have an idea which port is used here for the GPO? its saying that it has dynamic TCP and UDP
Hello @Amiel ,
Thank you for your update.
We can check the following ports on ACL so that the traffice can pass from client to Domain Controller (I mean the traffice does not block by ACL on router.).
Best Regards,
Daisy Zhou
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.