Re: AD Proxy
- From: "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 8 Jul 2005 08:16:04 -0700
The doc has much of the information I've been looking for - thanks. I'll
verify whether there are any differences with W2K3. With proxy, you're right
- I'd have to open the same ports. I believe the theory of some is that the
proxy could do some app-level filtering before allowing the traffic to get to
the production DCs. However, you were right on regarding Kerberos. The
proxy systems cannot do Kerberos across the proxy and thus appear to not be a
good solution.
I've been reviewing some ISA Server info and wondering if the reverse
publishing would work for this. However, I've seen nothing so far that talks
about using ISA Server this way. So far, I've received no responses to my
query in the ISA Server forum. Do you think that ISA Server has the
potential to do this? Even if there are no app filters for this, I could at
least restrict communications to the AIX systems. That would be better than
having a DC in the SecureNet with non-company computers.
--
Hugh
"Al Mulnick" wrote:
> As a starting point, have you seen this (appendix C is most likely the most
> helpful and I haven't seen an updated version of this, but there may be more
> involved with W2K3):
> http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en
>
>
>
> This is different than a proxy. My logic is like this: if you used a proxy,
> you'd have to allow the same traffic from the proxy to the AD. In this
> case, you'd have to allow the traffic from/to the AIX machine from/to your
> AD server(s). If you still need a proxy, then maybe ISA or some other
> layer-7 firewall would be useful here.
>
> I know that proxy products, such as Sun's exist, but not sure it can proxy
> Kerberos for you and I see that as a problem. I see ISA as a better
> solution for this if you need that functionality.
>
> Al
>
>
>
> "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:4B2DE9EC-0BDC-4B2E-AE10-D77B246D94D2@xxxxxxxxxxxxxxxx
> >I took a quick look at Centrify's web site - it looks very similar to
> > Vintela's offering. I don't know of any other requirements beyond what
> > you
> > mentioned.
> > --
> > Hugh
> >
> >
> > "Al Mulnick" wrote:
> >
> >> I'm not as familiar with Vintella as I am Centrify's solution. What are
> >> the
> >> requirements to be a domain member from the AIX machine's perspective?
> >> I assume Kerberos (indicates DNS and time sync to at least one DC) and
> >> LDAP,
> >> but are there any others?
> >>
> >> "The AIX systems in the SecureNet must be able to be domain members,"
> >>
> >> "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:A9DD6208-66DC-414B-89F7-5F468C0F85C9@xxxxxxxxxxxxxxxx
> >> > Yes, they would be based on AD credentials. Sorry for the confusion.
> >> >
> >> > Specifically, here's what we've got. In the SecureNet, we will have
> >> > AIX
> >> > systems which are running Vintela Authentication Services (VAS), which
> >> > tightly integrates these systems with AD. In fact, the AIX systems are
> >> > "joined" to AD (via Kerberos) just as any Windows XP PC would be.
> >> > These
> >> > AIX
> >> > systems will be used by individuals in the SecureNet as well as by
> >> > individuals in the internal network. As an example, when you telnet to
> >> > the
> >> > AIX box, the userid and password you enter reside only in AD, not as
> >> > local
> >> > accounts on the AIX box. The VAS software then passes the userid and
> >> > password to AD for authentication. Group membership also provides
> >> > permissions to the AIX box's filesystems.
> >> >
> >> > Any given user may access the AIX box via the SecureNet today and via
> >> > the
> >> > internal network tomorrow. Thus, we would prefer a single identity
> >> > store.
> >> >
> >> > The AIX systems in the SecureNet must be able to be domain members, but
> >> > since the SecureNet will also contain non-company computers (VPN
> >> > clients),
> >> > we
> >> > would prefer not to put a production domain controller in the
> >> > SecureNet.
> >> >
> >> > Since th
> >> > --
> >> > Hugh
> >> >
> >> >
> >> > "Al Mulnick" wrote:
> >> >
> >> >> You lost me.
> >> >> If you need AD/Kerberos authentication services, would that not be
> >> >> based
> >> >> on
> >> >> AD credentials? You're not interested in allowing services across the
> >> >> firewall (somehow you'll need time and DNS services that reflect
> >> >> trusted
> >> >> network information of course), I get that. But you are interested in
> >> >> authentication services. That is what I'm talking about.
> >> >>
> >> >> Maybe there's a bigger picture I'm not seeing? How do you plan to
> >> >> have
> >> >> the
> >> >> clients ask for authentication services? Is this something in the VPN
> >> >> client that allows them to even connect to this network? If so, maybe
> >> >> there's a better way to do this other than what we've talked about so
> >> >> far.
> >> >> RADIUS, AZMAN, or others might be worth investigating.
> >> >>
> >> >> Al
> >> >>
> >> >>
> >> >>
> >> >> "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> news:CC52EFEA-A075-4485-8C57-4024B0E5E88D@xxxxxxxxxxxxxxxx
> >> >> > Active Directory integration seems to be useful for controlling
> >> >> > access
> >> >> > across
> >> >> > the firewall based upon AD credentials. If so, this isn't what
> >> >> > we're
> >> >> > trying
> >> >> > to do. We need AD/Kerberos authentication services in the
> >> >> > SecureNet,
> >> >> > but
> >> >> > no
> >> >> > other traffic from the SecureNet will be allowed through the
> >> >> > firewall.
> >> >> > --
> >> >> > Hugh
> >> >> >
> >> >> >
> >> >> > "Al Mulnick" wrote:
> >> >> >
> >> >> >> Hopefully you get a good response from that group. I would imagine
> >> >> >> it
> >> >> >> can
> >> >> >> be done fairly easily, but not sure just how easily.
> >> >> >>
> >> >> >> Active Directory integration
> >> >> >> ISA Server can leverage the user database stored in Active
> >> >> >> Directory
> >> >> >> to
> >> >> >> authenticate both inbound and outbound access through the firewall.
> >> >> >> Active
> >> >> >> Directory integration is available even when the ISA Server
> >> >> >> computer
> >> >> >> is
> >> >> >> not
> >> >> >> a member of an Active Directory domain.
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> You can read more about it here:
> >> >> >> http://www.microsoft.com/isaserver/evaluation/features/default.mspx
> >> >> >>
> >> >> >> In my mind, you would basically publish the AD servers via ISA to
> >> >> >> the
> >> >> >> VPN
> >> >> >> network. When you give name resolution information to the vpn
> >> >> >> client,
> >> >> >> they
> >> >> >> would use that information to find the AD servers and the ISA
> >> >> >> server
> >> >> >> would
> >> >> >> proxy the authentication for you. LDAP might be a little more
> >> >> >> attached
> >> >> >> to
> >> >> >> your application if that's what it's for.
> >> >> >>
> >> >> >> Al
> >> >> >>
> >> >> >>
> >> >> >> "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> >> news:E84980BB-AACF-47E9-BF63-BB873AB5A838@xxxxxxxxxxxxxxxx
> >> >> >> > I've put a similar post in the ISA Server area, but we have no
> >> >> >> > experience
> >> >> >> > with ISA Server at this time.
> >> >> >> > --
> >> >> >> > Hugh
> >> >> >> >
> >> >> >> >
> >> >> >> > "Al Mulnick" wrote:
> >> >> >> >
> >> >> >> >> Have you already looked at what ISA server can do for you?
> >> >> >> >>
> >> >> >> >> Al
> >> >> >> >>
> >> >> >> >> "Hugh" <Hugh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> >> >> news:79DEDFE7-BFA3-46DA-B03B-877C8F70C330@xxxxxxxxxxxxxxxx
> >> >> >> >> > We are creating a secure DMZ area (VPN access only) and would
> >> >> >> >> > like
> >> >> >> >> > to
> >> >> >> >> > have
> >> >> >> >> > AD
> >> >> >> >> > services in this network. This "SecureNet" will be firewalled
> >> >> >> >> > off
> >> >> >> >> > from
> >> >> >> >> > the
> >> >> >> >> > internal network. Rather than putting a domain controller in
> >> >> >> >> > the
> >> >> >> >> > SecureNet,
> >> >> >> >> > we would prefer to put an LDAP proxy server that would accept
> >> >> >> >> > LDAP
> >> >> >> >> > requests
> >> >> >> >> > from systems in the SecureNet and forward those requests
> >> >> >> >> > through
> >> >> >> >> > the
> >> >> >> >> > firewall
> >> >> >> >> > to the internal domain controllers. Specifically, I said "AD"
> >> >> >> >> > proxy
> >> >> >> >> > instead
> >> >> >> >> > of "LDAP" proxy because I need Kerberos services to be proxied
> >> >> >> >> > as
> >> >> >> >> > well.
> >> >> >> >> > Thus, I need the proxy server to appear and act just like an
> >> >> >> >> > AD
> >> >> >> >> > domain
> >> >> >> >> > controller for the purposes of authentication. Any thoughts
> >> >> >> >> > on
> >> >> >> >> > whether
> >> >> >> >> > this
> >> >> >> >> > is possible and, if so, how to accomplish it?
> >> >> >> >> >
> >> >> >> >> > --
> >> >> >> >> > Hugh
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
.
- Follow-Ups:
- Re: AD Proxy
- From: Al Mulnick
- Re: AD Proxy
- References:
- AD Proxy
- From: Hugh
- Re: AD Proxy
- From: Al Mulnick
- Re: AD Proxy
- From: Hugh
- Re: AD Proxy
- From: Al Mulnick
- Re: AD Proxy
- From: Hugh
- Re: AD Proxy
- From: Al Mulnick
- Re: AD Proxy
- From: Hugh
- Re: AD Proxy
- From: Al Mulnick
- Re: AD Proxy
- From: Hugh
- Re: AD Proxy
- From: Al Mulnick
- AD Proxy
- Prev by Date: Lost ntds.dit have no backup on the server
- Next by Date: Re: Prevent users from logging into computers
- Previous by thread: Re: AD Proxy
- Next by thread: Re: AD Proxy
- Index(es):
Relevant Pages
|
