In my uneducated opinion you should not need to open any ports on the servers for LDAP replication if they are connected by VPN as this bypasses the firewall. If you run master/slave inside your LAN you may also be able to do away with your server firewall if you want but that is for you to weigh up. Remember as a gateway device the server is normally open to everything on your LAN unless you take active measures to block it.

With regards WINS, on the two remote sites try configuring Windows Networking with WINS support disabled and The WINS server set as your master server's LAN IP.

Well that is not reassuring. We redesigned our whole network around LDAP replication over VPN.

I wish I would of had more than a week to test and implement.

What is driving this is the need for more than 254 IP's combined for all three sites.

Can I get WINS routing so I can use subnets at each site without LDAP replication?

Kevin

I tried to make it working on a local network. I had no success. This is a quote of Peter Baldwin.

Hi Marcel,

The slave provisioning is very picky about all the necessary ports being open (LDAPS, Webconfig and a couple of others that I can't remember). We started work on making the provisioning process more robust, but that's still a work in progress.

I suspect this is now a question for a ticket as it is a professional only option. Do you have a support package?