Re: AD Authentication in a DMZ (up) ?
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Thu, 11 Oct 2007 15:33:43 +0100
Inline
My principal question is "Generally, what kind of architecture is choosenDepends on you real needs.
when we want that an application in a DMZ zone can use AD authentication
?"
Thomas told me about ADAM, ADFS or a specific forest only for Applications
ressources.
Provides isolation from internal network, proviing better security.
1. Why a specific forest in a DMA should be less secure than ADAM, or ADFSDMZs provide an isolated network segment for public-facing services, such as
?
Web and mail servers. The private side of your network is protected from
these servers, as their public accessibility makes them more vulnerable to
compromise.
2. Can we use a RADIUS proxy in the DMZ that will sned authenticationYes.
request from DMZ to DCs (in the LAN) ? Is it secure ?
--
===================================
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
===================================
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message
news:mn.5b5e7d7a4795b1af.70874@xxxxxxxxxxxxxxxxxxxxx
Hi Jorge,
thank you for your answer.
My principal question is "Generally, what kind of architecture is choosen
when we want that an application in a DMZ zone can use AD authentication
?"
Thomas told me about ADAM, ADFS or a specific forest only for Applications
ressources.
I have then two questions.
1. Why a specific forest in a DMA should be less secure than ADAM, or ADFS
?
2. Can we use a RADIUS proxy in the DMZ that will sned authentication
request from DMZ to DCs (in the LAN) ? Is it secure ?
Thank you !
Hi
- You'll need to open the necessary ports between DMZ and internal to
allow authentication.
--
===================================
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
===================================
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message
news:mn.5ac07d7ae674d1fa.70874@xxxxxxxxxxxxxxxxxxxxx
Hi,
anybody has ideas or documentations about this classical question please
?
Thank you
Hi,
we have an application in our DMZ that needs to use Active Directory
database for authentication.
Of course our AD domain controllers are in our LAN.
Is there a secure way to use AD Authentication for applications
localized in a DMZ ?
Thanks a lot.
Regards,
Pascal
One option is to use ADAM with userProxy objects which will forward
authentication requests to Your AD in LAN.
Other option is to use ADFS, but your application will have to be
tested if it will work with ADFS.
Third option is AD forest in Your DMZ which will have trust
relationship with Your main AD (I don't like such solution but this is
also an option)
Thank you Thomas,
Why the third option is less secure than ADFS or ADAM ?
Is there another solution with a radius in the DMZ that will forward
the authentication request to the DC in the LAN ?
Thanks
-- Pascal
--
Pascal
.
- References:
- AD Authentication in a DMZ ?
- From: Pascal
- Re: AD Authentication in a DMZ ?
- From: Tomasz Onyszko
- Re: AD Authentication in a DMZ ?
- From: Pascal
- AD Authentication in a DMZ (up) ?
- From: Pascal
- Re: AD Authentication in a DMZ (up) ?
- From: Jorge Silva
- Re: AD Authentication in a DMZ (up) ?
- From: Pascal
- AD Authentication in a DMZ ?
- Prev by Date: Re: Migrating from server 2000 to a server 2003
- Next by Date: Re: Courses for secure architecture topology ?
- Previous by thread: Re: AD Authentication in a DMZ (up) ?
- Next by thread: GPO "Not Configured" override
- Index(es):
Relevant Pages
|
