Deployment 1: Compact
In this compact deployment, both the DualShield Authentication Server (DAS) and the DualShield RADIUS Server (DRS) are installed and operating on one single server machine that resides in the corporate network.
Deployment 2: Extended
In this extended deployment, the DualShield Authentication Server (DAS) is installed on a server machine that resides in the corporate network, and the DualShield RADIUS Server (DRS) is installed on a server machine that resides in the DMZ.
Ports & Protocols
| Port | Protocol | Function | Comment |
|---|---|---|---|
| 1812 | UDP | RADIUS authentication | |
| 1813 | UDP | RADIUS accounting | Optional in most cases |
| 8090 | TCP | RADIUS management | Used by the DualShield Authentication Server to manage the RADIUS server |
| 389 | LDAP | Used in communication between DualShield Authentication Server and AD server | |
| 636 | LDAPS | Used in communication between DualShield Authentication Server and AD server |
You will need to configure the local Windows firewall and network firewall to allow connections to these ports.
Windows Firewall Configuration
From the Server Manager window select "Tools | Windows Firewall with Advanced Security";
A window will now open titled "Windows Firewall with Advanced Security" that will show the firewall overview for each profile (Domain, Private and Public);
Domain - Traffic to and from a network on which it can detect a domain controller of the domain to which the computer is joined.
Private - Traffic to and from the local server or the local network to which it is attached.
Public - Traffic to and from non-local sources such as the World Wide Web.
Adding Firewall Rules for the Inbound Ports
The default RADIUS server listens on ports 1812 (UDP), 1813 (UDP) and 8090 (TCP), these ports need to be opened for inbound traffic.
To select ports for inbound traffic select "Inbound Rules" as indicated below;
You will now need to add firewall rules for the 3 required inbound ports using the following procedures;
From the window titled "Windows Fiurewall with Advanced Security", Right click "Inbound Rules", then select "New Rule...";
A new window will open titled "New Inbound Rule Wizard" with subheading "Rule Type", we need to define inbound rules for all three of the ports, select "Port", then click "Next";
The sub-heading will now be updated to "Protocol and Ports", select "UDP".
Select "Specfic local port", and enter a port value of "1812", then click "Next";.
The sub-heading will now be updated to "Action", select "Allow the connection" then click "Next";
The sub-heading will now be updated to "Profile", select which profiles the rule applies to then click "Next";
The sub-heading will now be updated to "Name", provide a meaningful name and descriptions for the port that is being defined then click "Finish";
From the window titled "Windows Fiurewall with Advanced Security", Right click "Inbound Rules", then select "New Rule...";
A new window will open titled "New Inbound Rule Wizard" with subheading "Rule Type", we need to define inbound rules for all three of the ports, select "Port", then click "Next";
The sub-heading will now be updated to "Protocol and Ports", select "UDP".
Select "Specfic local port", and enter a port value of "1813", then click "Next";.
The sub-heading will now be updated to "Action", select "Allow the connection" then click "Next";
The sub-heading will now be updated to "Profile", select which profiles the rule applies to then click "Next";
The sub-heading will now be updated to "Name", provide a meaningful name and descriptions for the port that is being defined then click "Finish";
From the window titled "Windows Fiurewall with Advanced Security", Right click "Inbound Rules", then select "New Rule...";
A new window will open titled "New Inbound Rule Wizard" with subheading "Rule Type", we need to define inbound rules for all three of the ports, select "Port", then click "Next";
The sub-heading will now be updated to "Protocol and Ports", select "TCP".
Select "Specfic local port", and enter a port value of "8090", then click "Next";.
The sub-heading will now be updated to "Action", select "Allow the connection" then click "Next";
The sub-heading will now be updated to "Profile", select which profiles the rule applies to then click "Next";
The sub-heading will now be updated to "Name", provide a meaningful name and descriptions for the port that is being defined then click "Finish";
Once you have created all three inbound rules the firewall will be configured to allow the Radius server to listen for external connections.