Re: FTP server in DMZ and authentication to/from internal AD

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: "Anthony" <anthony.spam@xxxxxxxxxxxxxx>
Date: Thu, 4 Oct 2007 20:31:32 +0100

Craig,
Authentication in a DMZ is just one of those problems with no simple answer:
- separate DMZ domain with one way trust to internal AD
- staging folder on internal domain, copied as a task up to the DMZ folder
- DMZ proxy that publishes your internal folder over FTP
Hope that helps,
Anthony, http://www.airdesk.com

"myoman" <myoman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F1666246-8E29-4C2C-9045-4A69AA3FE536@xxxxxxxxxxxxxxxx

All,

I was hoping to get some advice on how others deal with having internal AD
users connect to an FTP server located in the DMZ. This is a legacy system
that worked fine before we required users to change their passwords in AD
every 60 days. Now, we have to change the local account on the FTP server
so
they can reconnect their mapped drives. There are about 30 uses who
connect
in this way and they use it for putting financials, vendor contracts,
specs,
etc..... on the FTP box that the external users grab and vice versa.

I'm thinking of having a Virtual Directory on the FTP server that points
to
an internal (inside of the DMZ) share where the users put/get their stuff.
Besides security concerns, are there known issues with this?

I've also thought of just having our internal folks access the FTP box via
FTP instead of mapped drives and such. However, I believe that there are
jobs
that actually put the data directly to the FTP box via mapped drives
instead
of through FTP. This is totally controlled by the departments so we have a
bit of research left.

Are there any tools available that can securely replicate the internal AD
accounts (Roughly 50 accounts and all are just Domain Users) to the FTP
server?

Thanks for any advice.

Craig

References:
- FTP server in DMZ and authentication to/from internal AD
  - From: myoman

Prev by Date: Windows Address Book Permissions
Next by Date: Copying SID to SIDHistory
Previous by thread: FTP server in DMZ and authentication to/from internal AD
Next by thread: Re: raising domain functional level
Index(es):
- Date
- Thread

Relevant Pages

Re: auto file transfer to a dmz
... Would it be difficult to script an ftp ... >> One of my clients would like to setup a computer in a dmz that can ... > a) the user manually updates the DMZ copy when they change an original. ...
(microsoft.public.backoffice.smallbiz2000)
Re: securing an FTP service
... > moving the ftproot folder to another server INSIDE the DMZ ... > that FTP passwords are transmitted not enchrypted? ... VPN is a solution, maybe FTP over SSL is another (but I am not ...
(Security-Basics)
Re: Port 990 - ACL problems - PIX
... we've put an FTP server in our DMZ and normal FTP access seems to be ... however if i connect from another machine on the DMZ ... access-list out-acl extended permit tcp any host xx.xx.xx.23 eq ftp ...
(comp.dcom.sys.cisco)
Re: ftp user in active directory ?
... public Internet services such as an FTP server in a DMZ. ... DMZ services is often cited as the best practice approach, ... > shoudn't put an active directory on my public ftp server.. ...
(microsoft.public.windows.server.active_directory)
Re: auto file transfer to a dmz
... you could script it with native windows FTP and use windows scheduler to run ... "Joe Letter" wrote in message ... >>> One of my clients would like to setup a computer in a dmz that can ... >> a) the user manually updates the DMZ copy when they change an original. ...
(microsoft.public.backoffice.smallbiz2000)