Re: Windows 2K RRAS VPN on DMZ can't authenticate users

From: David Hodgson (david.hodgson_at_vianet.co.uk)
Date: 05/25/04 

Date: Tue, 25 May 2004 17:03:22 +0100

>How can it be part of the domain when it is out in the DMZ?"

because when it uses AD to authenticate users it needs to be on the same
domain (right or wrong?)

>All 65,000+ of them? What's the point in having the Firewall?

I should have said all the ports are open between the VPN Server and the
Internal network, it's then controlled via ACL's to allow only that server
to connect to our internal network, it can't be spoofed cause it's got an
internal IP.
this is common practise.

> Firewalls perform NAT and create "trusted" and "untrusted" networks. The
DMZ
> is "untrusted" and the LAN is "trusted". The DMZ is never supposed to see
> the LAN, and therfore can never "authenticate".

DMZ can see the LAN in certain circumstances, ie doing what I'm doing,
Exchange FE/BE servers etc.

It's a Remote Access VPN with clients connecting to it using PPTP nothing
more.

I only asked why the server in question can't authenticate a user when it
has complete access to my internal network.

"Phillip Windell" <@.> wrote in message
news:uNJAhymQEHA.3732@TK2MSFTNGP11.phx.gbl...
> "David Hodgson" <david.hodgson@vianet.co.uk> wrote in message
> news:c8vn3a$rb6$1$8300dec7@news.demon.co.uk...
> > I have a Windows 2K RRAS VPN server which in my DMZ, it is part of the
> > domain and the
>
> How can it be part of the domain when it is out in the DMZ?
>
> > firewall between the DMZ and the Internal network has all the
> > ports open between the DMZ network and the Internal network.
>
> All 65,000+ of them? What's the point in having the Firewall?
>
> > My clients when connecting to this server get a 919 error "the remote
> > computer refused to be authenticated....." at the "Verifying username
and
> > password"
>
> Firewalls perform NAT and create "trusted" and "untrusted" networks. The
DMZ
> is "untrusted" and the LAN is "trusted". The DMZ is never supposed to see
> the LAN, and therfore can never "authenticate".
>
> > Also the VPN server cannot get a browse list of the whole domain, looks
> like
> > it's just broadcasting on the DMZ and picking up computers there. (don't
> > know if this has anything to do with the above?)
>
> That is exactly what it is supposed to do in that environment.
>
> You will have to explain the intent a little better here. Just because
you
> say you *have* a VPN Server in the DMZ doesn't explain how you intend to
use
> it and how you expect it to perform. There are several types of VPN
"models"
> that all behave differently and are used in different types of
> situations,...and the types aren't "cross-compatible".
>
> Virtual Private Networking with Windows Server 2003: Deploying
Site-to-Site
> VPNs
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndpls2.mspx
>
> Virtual Private Networking with Windows 2000: Deploying Router-to-Router
> VPNs
>
http://www.microsoft.com/windows2000/server/evaluation/features/deplyr2rvpn.asp
>
> Virtual Private Networking with Windows 2000: Deploying Remote Access VPNs
>
http://www.microsoft.com/windows2000/techinfo/planning/incremental/vpndeploy.asp
>
> Microsoft Windows Server 2003 Remote Access/VPN Server Role
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/serverroles/remoteaccessserver/default.mspx
>
> Overview of Deploying Dial-up and VPN Remote Access Servers
>
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/deployguide/en-us/dnsbf_vpn_mcnx.asp
>
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>

Relevant Pages

  • Re: Unable to join AD domain from DMZ network
    ... > the captured traffic between the server in DMZ to the DC from internal ... >> unless you lock it down to a specific port. ... >>> authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Prividing Intranet Website Access To External Users
    ... If you use VPN IPSec you get access to ALL lan, after you need start to close access, the one that remanis open is the problem, does you remember Murphy?. ... Can by installed in DMZ, double firewall, internaly and others. ... > The web server is IIS on windows2003. ... > intranets to the internet in a secure manner. ...
    (Security-Basics)
  • Re: Gurus: server on perimeter vs. corporate advice
    ... But if you put the Sharepoint in the "DMZ", you would need to open various ... ports to allow communication from the DMZ to the Internal network (I think ... When you "open" such ports for a server that resides in the DMZ, ...
    (microsoft.public.security)
  • Re: Unable to join AD domain from DMZ network
    ... To me that points to something outside the machine (Firewall most likely culprit) ... > the captured traffic between the server in DMZ to the DC from internal ... >>> authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Remote terminal service - Comments
    ... Anyhow, near as I can tell, you're thinking VPN or DMZ, pretty much period. ... > An internal server should never be exposed directly to the internet. ... > harder for someone to get into your internal network. ...
    (microsoft.public.windows.terminal_services)