My GPO(Group Policy Object) is being blocked by my ACL

Amiel 1 Reputation point
2020-09-02T09:30:18.587+00:00

Hi all, I can't seem to find a way to allow my GPO to pass through my core router(which has ACL running). I was able to determine that the cause of this was the packets were being blocked by the ACL because if I remove the ACL on the VLAN, the GPO takes effect on the client PC going to my servers.

here are the ACL commands I used in my lab environment, most of them are for AD

permit udp any eq bootpc any eq bootps
permit icmp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 echo-reply
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 138
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 138
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 137
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 137
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 138
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 138
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 636
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 636
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 636
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 636
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 445
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 445
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 445
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 445
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 464
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 464
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 464
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 464
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 123
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 88
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 389
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq domain
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq telnet
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 123
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 445
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 88
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 389
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq domain
permit icmp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 echo-reply
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq domain
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq domain
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 389
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 389
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 123
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 123
permit udp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 88
permit udp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 88
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 135
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 135
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3268
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 3268
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 25
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 25
permit tcp 10.10.20.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3269
permit tcp 10.10.100.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 3269
permit tcp any any eq 443

Note: (10.10.100.0 is my server network and 10.10.20.0 is my Client pc network.)

All of this is from my lab environment.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other
{count} votes

1 answer

Sort by: Most helpful
  1. Anonymous
    2020-09-03T01:51:13.547+00:00

    Hello @Amiel ,

    Thank you for posting here.

    We can check whether all the ports AD required are open through the ACL on the VLAN.

    If no, we can remove the related entries of the ACL on the VLAN.

    And then check if the GPO takes effect on the client PC.

    For AD ports requirements, we can refer to the links below.

    Active Directory and Active Directory Domain Services Port Requirements
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN

    Active Directory Replication over Firewalls
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727063(v=technet.10)?redirectedfrom=MSDN

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.