Re: AD Proxy

---

• From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
• Date: Fri, 8 Jul 2005 09:14:49 -0400

---

As a starting point, have you seen this (appendix C is most likely the most
helpful and I haven't seen an updated version of this, but there may be more
involved with W2K3):
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en



This is different than a proxy. My logic is like this: if you used a proxy,
you'd have to allow the same traffic from the proxy to the AD. In this
case, you'd have to allow the traffic from/to the AIX machine from/to your
AD server(s). If you still need a proxy, then maybe ISA or some other
layer-7 firewall would be useful here.

I know that proxy products, such as Sun's exist, but not sure it can proxy
Kerberos for you and I see that as a problem. I see ISA as a better
solution for this if you need that functionality.

Al



"Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4B2DE9EC-0BDC-4B2E-AE10-D77B246D94D2@xxxxxxxxxxxxxxxx
>I took a quick look at Centrify's web site - it looks very similar to
> Vintela's offering. I don't know of any other requirements beyond what
> you
> mentioned.
> --
> Hugh
>
>
> "Al Mulnick" wrote:
>
>> I'm not as familiar with Vintella as I am Centrify's solution. What are
>> the
>> requirements to be a domain member from the AIX machine's perspective?
>> I assume Kerberos (indicates DNS and time sync to at least one DC) and
>> LDAP,
>> but are there any others?
>>
>> "The AIX systems in the SecureNet must be able to be domain members,"
>>
>> "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:A9DD6208-66DC-414B-89F7-5F468C0F85C9@xxxxxxxxxxxxxxxx
>> > Yes, they would be based on AD credentials. Sorry for the confusion.
>> >
>> > Specifically, here's what we've got. In the SecureNet, we will have
>> > AIX
>> > systems which are running Vintela Authentication Services (VAS), which
>> > tightly integrates these systems with AD. In fact, the AIX systems are
>> > "joined" to AD (via Kerberos) just as any Windows XP PC would be.
>> > These
>> > AIX
>> > systems will be used by individuals in the SecureNet as well as by
>> > individuals in the internal network. As an example, when you telnet to
>> > the
>> > AIX box, the userid and password you enter reside only in AD, not as
>> > local
>> > accounts on the AIX box. The VAS software then passes the userid and
>> > password to AD for authentication. Group membership also provides
>> > permissions to the AIX box's filesystems.
>> >
>> > Any given user may access the AIX box via the SecureNet today and via
>> > the
>> > internal network tomorrow. Thus, we would prefer a single identity
>> > store.
>> >
>> > The AIX systems in the SecureNet must be able to be domain members, but
>> > since the SecureNet will also contain non-company computers (VPN
>> > clients),
>> > we
>> > would prefer not to put a production domain controller in the
>> > SecureNet.
>> >
>> > Since th
>> > --
>> > Hugh
>> >
>> >
>> > "Al Mulnick" wrote:
>> >
>> >> You lost me.
>> >> If you need AD/Kerberos authentication services, would that not be
>> >> based
>> >> on
>> >> AD credentials? You're not interested in allowing services across the
>> >> firewall (somehow you'll need time and DNS services that reflect
>> >> trusted
>> >> network information of course), I get that. But you are interested in
>> >> authentication services. That is what I'm talking about.
>> >>
>> >> Maybe there's a bigger picture I'm not seeing? How do you plan to
>> >> have
>> >> the
>> >> clients ask for authentication services? Is this something in the VPN
>> >> client that allows them to even connect to this network? If so, maybe
>> >> there's a better way to do this other than what we've talked about so
>> >> far.
>> >> RADIUS, AZMAN, or others might be worth investigating.
>> >>
>> >> Al
>> >>
>> >>
>> >>
>> >> "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:CC52EFEA-A075-4485-8C57-4024B0E5E88D@xxxxxxxxxxxxxxxx
>> >> > Active Directory integration seems to be useful for controlling
>> >> > access
>> >> > across
>> >> > the firewall based upon AD credentials. If so, this isn't what
>> >> > we're
>> >> > trying
>> >> > to do. We need AD/Kerberos authentication services in the
>> >> > SecureNet,
>> >> > but
>> >> > no
>> >> > other traffic from the SecureNet will be allowed through the
>> >> > firewall.
>> >> > --
>> >> > Hugh
>> >> >
>> >> >
>> >> > "Al Mulnick" wrote:
>> >> >
>> >> >> Hopefully you get a good response from that group. I would imagine
>> >> >> it
>> >> >> can
>> >> >> be done fairly easily, but not sure just how easily.
>> >> >>
>> >> >> Active Directory integration
>> >> >> ISA Server can leverage the user database stored in Active
>> >> >> Directory
>> >> >> to
>> >> >> authenticate both inbound and outbound access through the firewall.
>> >> >> Active
>> >> >> Directory integration is available even when the ISA Server
>> >> >> computer
>> >> >> is
>> >> >> not
>> >> >> a member of an Active Directory domain.
>> >> >>
>> >> >>
>> >> >>
>> >> >> You can read more about it here:
>> >> >> http://www.microsoft.com/isaserver/evaluation/features/default.mspx
>> >> >>
>> >> >> In my mind, you would basically publish the AD servers via ISA to
>> >> >> the
>> >> >> VPN
>> >> >> network. When you give name resolution information to the vpn
>> >> >> client,
>> >> >> they
>> >> >> would use that information to find the AD servers and the ISA
>> >> >> server
>> >> >> would
>> >> >> proxy the authentication for you. LDAP might be a little more
>> >> >> attached
>> >> >> to
>> >> >> your application if that's what it's for.
>> >> >>
>> >> >> Al
>> >> >>
>> >> >>
>> >> >> "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> news:E84980BB-AACF-47E9-BF63-BB873AB5A838@xxxxxxxxxxxxxxxx
>> >> >> > I've put a similar post in the ISA Server area, but we have no
>> >> >> > experience
>> >> >> > with ISA Server at this time.
>> >> >> > --
>> >> >> > Hugh
>> >> >> >
>> >> >> >
>> >> >> > "Al Mulnick" wrote:
>> >> >> >
>> >> >> >> Have you already looked at what ISA server can do for you?
>> >> >> >>
>> >> >> >> Al
>> >> >> >>
>> >> >> >> "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> >> news:79DEDFE7-BFA3-46DA-B03B-877C8F70C330@xxxxxxxxxxxxxxxx
>> >> >> >> > We are creating a secure DMZ area (VPN access only) and would
>> >> >> >> > like
>> >> >> >> > to
>> >> >> >> > have
>> >> >> >> > AD
>> >> >> >> > services in this network. This "SecureNet" will be firewalled
>> >> >> >> > off
>> >> >> >> > from
>> >> >> >> > the
>> >> >> >> > internal network. Rather than putting a domain controller in
>> >> >> >> > the
>> >> >> >> > SecureNet,
>> >> >> >> > we would prefer to put an LDAP proxy server that would accept
>> >> >> >> > LDAP
>> >> >> >> > requests
>> >> >> >> > from systems in the SecureNet and forward those requests
>> >> >> >> > through
>> >> >> >> > the
>> >> >> >> > firewall
>> >> >> >> > to the internal domain controllers. Specifically, I said "AD"
>> >> >> >> > proxy
>> >> >> >> > instead
>> >> >> >> > of "LDAP" proxy because I need Kerberos services to be proxied
>> >> >> >> > as
>> >> >> >> > well.
>> >> >> >> > Thus, I need the proxy server to appear and act just like an
>> >> >> >> > AD
>> >> >> >> > domain
>> >> >> >> > controller for the purposes of authentication. Any thoughts
>> >> >> >> > on
>> >> >> >> > whether
>> >> >> >> > this
>> >> >> >> > is possible and, if so, how to accomplish it?
>> >> >> >> >
>> >> >> >> > --
>> >> >> >> > Hugh
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>


.

---

• Follow-Ups:
  • Re: AD Proxy
    • From: Hugh

• References:
  • AD Proxy
    • From: Hugh
  • Re: AD Proxy
    • From: Al Mulnick
  • Re: AD Proxy
    • From: Hugh
  • Re: AD Proxy
    • From: Al Mulnick
  • Re: AD Proxy
    • From: Hugh
  • Re: AD Proxy
    • From: Al Mulnick
  • Re: AD Proxy
    • From: Hugh
  • Re: AD Proxy
    • From: Al Mulnick
  • Re: AD Proxy
    • From: Hugh

• Prev by Date: Re: Determining authenticating DC
• Next by Date: active directory 2003 computer migration problem
• Previous by thread: Re: AD Proxy
• Next by thread: Re: AD Proxy
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Proxy Server on AIX 5.3 ... We are currently running PORTUS firewall on AIX 5.1. ... complete and robust proxy and I have no doubts it ... Mail has the best spam protection around ... (AIX-L) Re: sendmail ... sendmail shipped with AIX comes with ... sendmail.cf which isn't recommended to use on the server facing ... Internet (allow proxy and such)... ... (comp.unix.aix) Re: AD Proxy ... In the SecureNet, we will have AIX ... > If you need AD/Kerberos authentication services, would that not be based on ... >>> ISA Server can leverage the user database stored in Active Directory ... (microsoft.public.windows.server.active_directory) Re: AD Proxy ... > requirements to be a domain member from the AIX machine's perspective? ... > "The AIX systems in the SecureNet must be able to be domain members," ... In the SecureNet, we will have AIX ... >>> authentication services. ... (microsoft.public.windows.server.active_directory) Re: AD Proxy ... requirements to be a domain member from the AIX machine's perspective? ... "The AIX systems in the SecureNet must be able to be domain members," ... In the SecureNet, we will have AIX ... >> If you need AD/Kerberos authentication services, ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2005-07