Re: AD DMZ configuration
- From: dsturgeon.spam@xxxxxxxxx
- Date: Thu, 28 Feb 2008 12:11:28 -0800 (PST)
On Feb 28, 12:06 pm, "Lognoul, Marc \(Private\)"
<logno...@xxxxxxxxxxx> wrote:
I don't really see how this could help you segementating authentication
traffic. The only way I see is to place a replica DC from you internal
forest into theDMZ"next to" the web server and use IPSec between this
replica and the internal DC's.
What kind of authentication do client pass to the web server? negotiate,
basic or something else?
Marc
<dsturgeon.s...@xxxxxxxxx> wrote in message
news:3dffddbf-c557-42d6-947f-bad93d1f5735@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Feb 28, 10:10 am, dsturgeon.s...@xxxxxxxxx wrote:
On Feb 27, 8:34 pm, Ryan Hanisco
<RyanHani...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Good evening,
If you create Domain global groups in each of your domains to hold
local
accounts, then create a Universal Group in theDMZholding the global
groups
from each domain, the authentication should stop at the domain boundary
as
the security token will not have to reach into the foreign domain to
generate
the appropriate security token.
Good Luck,
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+http://www.techsterity.com
Chicago, IL
Remember: Marking helpful answers helps everyone find the info they
need
quickly.
"dsturgeon.s...@xxxxxxxxx" wrote:
The setup - two separate forests, one internal and oneDMZ.
Servers : LAN-DC1, LAN-DC2,DMZ-DC1,DMZ-WEB,DMZ-APP
I have a one-way trust setup to allow internal accounts into theDMZ.
IPSec policy setup to secure traffic between the DCs. One hope was
that the authentication process would happen as follows:
Internal User needs to authenticate to the web server. The web server
would pass that request to theDMZ-DC1 server which would then connect
back to the internal DC to verify. The reverse path would be followed
and the user would be authenticated. This limits the holes that I
have
to punch through the firewall.
Instead the web server performs the authentication back to the
internal DC, so I need to have all of theADrelated ports (udp/389
and 88, tcp/139 and 445) open anyway. Is there a way to force the DCs
to do the 'talking' per se?
Thanks
Ryan - these are separate forests, so I do not believe yourNevermind, I was able to add a universal group from the LAN forest to
recommendation will work. I can only add groups from the LAN forest to
the domain local group in theDMZforest.
a DL group in theDMZforest. Still testing it.
I had hoped that by setting up the dmz forest, the dmz web server
would simply connect to the dmz domain controller and it would then
handle the authentication back to the lan dc via an IPSec connection.
As it is now, I still have to punch all the holes in the firewall for
the AD traffic into the LAN for the authentication. If that is true
then the DMZ domain will protect me only slightly more than having the
dmz servers be members in my internal domain. This protection being
that if the web server was compromised, I do not believe my internal
domain could be attacked. I am not sure however to the extent this is
true.
.
- References:
- AD DMZ configuration
- From: dsturgeon . spam
- Re: AD DMZ configuration
- From: dsturgeon . spam
- Re: AD DMZ configuration
- From: dsturgeon . spam
- Re: AD DMZ configuration
- From: Lognoul, Marc \(Private\)
- AD DMZ configuration
- Prev by Date: group policy question
- Next by Date: Re: Bind failing
- Previous by thread: Re: AD DMZ configuration
- Next by thread: Re: FRS errors 13508 and 13559
- Index(es):
Relevant Pages
|
