Configure TAC Server Infrastructure

Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

Configure TAC Server Infrastructure

Configuring TAC Server Network Settings.


The following network settings are required for a standalone server deployment.
All IP addresses are configured using the change adapter settings in the Network
and Sharing center utility.

TAC in public facing topology


Two Network Interface cards are recommended.
At least 1 static public IP on public facing interface
At least 1 static private IP for internal facing network

The recommended network configuration for dual NIC environment is as follows:

Network Properties Public Interface Private Interface


Static IP address Yes Yes
Gateway Yes No

DNS No Yes

In a 2 NIC topology scenario, it is advisable to do initial TAC server preparation by


configure Internal NIC first and add the server to domain before add secondary NIC.
(public facing NIC).

Some of our customer network scenarios are not falling to proper network profiles
(domain for internal NIC & public for external NIC) that may cause communication
issues when TAC is in array.

TAC behind Firewall /NAT device


1 Network Interface card connected to the private network.
At least 1 static private IP address
An Internal DNS infrastructure with forwarders can be used for public name
resolution.
Configure server domain settings.
Running TAC in workgroup mode.

Note - Portsys does not recommend using TAC in workgroup mode. It


works best when joined to a domain.

TAC will work as an independent server in the network. When it is in the DMZ, it is
possible to leave it as a workgroup computer. Here are some limitations when
using TAC is in the workgroup:

Not able to do NTLM authentication for external clients


No VPN application
No FileAccess

TAC in Domain mode

A Domain joined TAC server supports all of the TAC operations.

Use system properties to join the TAC server to the domain. The TAC server name
must set before applying the TAC license as changing server name will require the
request of new license key from PortSys.

Configuring Internal/ External Firewalls between TAC Servers and back-


end application servers.

When the TAC server is behind a firewall or placed in a internal/external DMZ, the
following firewall ports are required to be to open

Workgroup Mode

Source Destination Port Description

Outside Access to
Internet TAC Server 443 Portal

Outside Access to
Internet TAC Server 80 Portal
TAC Internal TCP & UDP TAC to AD server
Server subnet 389 lookups

TAC Internal TCP & UDP


Server subnet 53 TAC DNS lookups

TAC Internal
Server Subnet TCP 3268 LDAP GC

TAC Internal TCP and


Server Subnet UDP 88 Kerberos

Domain Joined

Protocol /
Source Destination Port Description

TAC Server Outside Access to


Internet External IP 443 Portal

TAC Server Outside Access to


Internet External IP 80 Portal

TAC TCP & UDP TAC to AD server


Server AD Server IP 389 lookups

TAC DNS Server TCP & UDP


Server IP 53 TAC DNS lookups

TAC AD/GC
Server Server IP TCP 3268 LDAP GC

TAC AD/GC
Server Server IP TCP 636 Secure LDAP

TAC AD/GC
Server Server IP TCP 3269 Secure LDAP GC
SMB,CIFS,SMB2,
DFSN, LSARPC, NbtSS,
TAC AD/DC TCP & UDP NetLogonR, SamR,
Server Server IP 445 SrvSvc

TAC AD/DC
Server Server IP TCP 135 RPC, EPM

RPC, DCOM, EPM,


TAC AD/DC TCP DRSUAPI, NetLogonR,
Server Server IP Dynamic SamR, FRS

TAC AD/DC
Server Server IP TCP 5722 RPC, DFSR (SYSVOL)

TAC AD/Time
Server Server IP UDP 123 Windows Time

TAC AD/DC TCP & UDP Kerberos change/set


Server Server IP 464 password

TAC AD/DC UDP


Server Server IP Dynamic DCOM, RPC, EPM

DFSN, NetLogon,
TAC AD/DC NetBIOS Datagram
Server Server IP UDP 138 Service

TAC AD/DC
Server Server IP UDP 9389 SOAP
TAC DHCP UDP 67 &
Server Server IP UDP 2535 DHCP, MADCAP

TAC AD/DC TCP and


Server Server IP UDP 88 Kerberos

More information can be found here: https://technet.microsoft.com/en-


us/library/dd772723(v=ws.10).aspx

Additional Ports may need to open based on the application published needs.

TAC in Array

* If TAC array nodes are placed behind firewalls following additional ports needs to
open apart to above ports in domain joined

Source Destination Protocol /Port Description


TAC manager TAC member
internal IP internal IP and TAC server
TCP 2070 -2080
and TAC member TAC manager Communication
internal IP internal IP
TAC manager TAC member TCP / 1025 - RPC Dynamic
internal IP internal IP 5000 ports range for
and TAC member and TAC manager TCP / 49152 - service
internal IP internal IP 65535 communication

TAC manager TAC member


internal IP internal IP RPC endpoint
TCP 135
and TAC member and TAC manager mapper service
internal IP internal IP

The above ports and ranges should be opened between all servers in the array in
both directions.
Configuring Certificate

TAC requires a publicly resolvable certificate to be installed on the TAC server for
secure communication.

A SSL certificate is required on the TAC server. The certificate must be issued by
public certification authority (CA).

You may need to add multiple certificates for different applications that have
alternate public host names.

Further, you may need to install certificates on endpoints to trust the connectivity
between endpoints and TAC Gateway. If you publish generic client server
application or VPN or RDP application where the TAC client component is involved,
you will need to install trusted system certificate on endpoints.

If you use a self-signed certificate (issued by a custom CA) for the TAC site, the CA
that issued cert has to be added to Trusted Root Certificate Authority under Local
Computer on the end-point in order for the the TAC Client Services to work
properly.

Configuring DNS

The Administrator has to register the TAC Site’s public host name(s) in their public
DNS authority to access the TAC Portal from the internet. If TAC has multiple sites
configured, those sites need to register in the DNS with the respective IPs.

You might also like