Question:

How Do I Configure a Firewall to Support Directory Services Outside the DMZ?

Answer:

MassTransit 5.1 and later allows for authentication of application and web client contacts against Active Directory on Windows 2000 Server and greater. Because MassTransit systems may sit outside of an organization's firewall in the demilitarized zone (DMZ), it may be necessary to open the ports on a firewall to allow Active Directory queries to pass through without hindrance.

Ports Used by MassTransit

MassTransit uses TCP and UDP port 389 to communicate with Active Directory. This port number is the default for Active Directory. If your organization uses a different port number, or, if your firewall is configured to do port forwarding/mapping, you can specify this port number in the MassTransitEngine.cfg file, located in the root folder of your MassTransit installation, which is generally C:\Program Files\Group Logic\MassTransit Server 5 for MassTransit version 5 and C:\Program Files\Group Logic\MassTransit Server 6 for MassTransit version 6, on Windows and Macintosh HD:Applications:MassTransit Server 5 for MassTransit version 5 and Macintosh HD:Applications:MassTransit Server 6 for MassTransit version 6, on Macintosh.

In the Directory Services Settings of the MassTransitEngine.cfg file, locate the LDAP_SERVER_PORT option. The default port is 389. Change this to the port in use by your organization.

When complete, restart the MassTransit Engine to apply the changes.