Re: Forest or External Trusts Through NATed Firewall

You're right that a tunnel is the way to go here. This pulls the port issue
out of the mix and allows netlogon traffic to flow without being lost at the
NAT boundary. I prefer to do VPNs from hardware appliances (Cisco or
checkpoint) but even server VPN connections should work.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.


"nonsence via WinServerKB.com" wrote:

u dont need netbios for replication.

what you need to do is setup a vpn tunnel through the nat firewalls. this
will take care of the problem of having the nat routers re-writing the ip
addresses. cus what you want is to have direct ip connections which are not
being filtered or altered during transit. a vpn tunnel will give you this,
plus its more secure.

ur one other "possible" option, i think, but i doubt it but i'll throw it out
there anyway. is to use ipsec policies to secure replication between domain
controllers. this should also work to tunnel through the nat device and
achieve a direct ip connection without having the data changed, of course u
need a checkpoint that supports nat-t for ipsec.

Networking-Guru wrote:
Hi,

Windows 2003
Setting Security aside, is it possible to create a Forest or External Trust
Through A NATed Firewall (Checkpoint)

There will be a new Forest Created which will have Globallly Unique IP
addresses withing the organisation.

There will be several existing forest/domains which are not guaranteed to
have Unique IP addresses, therefoer when communication from NEW<->OLD the OLD
addresses need to be NATed for the NEW to communicate.

The Theory I have applied is that the NEW will use conditinal forwarding to
lookup DNS entries in the OLD. The DNS get request will go throught he
Firewall to the old domain DNS and generate a get response. when this
response passes through the firewall, it will match the IP address in the
response with the STATIC NAT table and modify the response to be the NATed
address. Therefore returning the NAT ip address to the NEW server

This would therefore allow a trust (external or forest) to be established
and subsequent authentication to be handle for users in old accessing
resources in NEW.

I also assumed I do not need NetBios Resolution.

Any comments.
Regards
JohnnieMac

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-ad/200803/1


.

Relevant Pages

  • Re: GRE tunnel and NAT
    ... and ships it over the GRE tunnel ... When R1 gets the packet from the tunnel, I expected it to NAT again ... interface Loopback0 ...
    (comp.dcom.sys.cisco)
  • Re: ASA IPSec question
    ... IPSec vpn tunnel with them to securely transfer files. ... suspicion is that it is due to NAT. ... We are NATing the private IP from ... Site IPsec VPN with Policy NAT ...
    (comp.dcom.sys.cisco)
  • Re: Using Montgomery converter to compute Montgomery form
    ... If you will trust Agha's matrix in squads, it will tamely owe the ... mile. ... Get your almost minding fly in response to my tunnel. ...
    (sci.crypt)
  • Re: ISA 2004 site to site ipsec mit third party
    ... NAT ... >> wir haben Pre Shared Keys umgestellt und der Tunnel wird jetzt aufgebaut. ... >> Eine Verbindung zum internenremotenetzwerk gelingt noch nicht. ... > In der ISA Serververwaltung kannst Du Dir den Tunnel anschauen, ...
    (microsoft.public.de.german.isaserver)
  • Re: Complete VPN Fundamentals and VPN Router RV042
    ... one) that provides a PPTP-based VPN server integrated into it... ... >machine to use an IPSEC VPN through a NAT device to a host. ... >for the router, as well. ... >> tunnels in the IPsec policy is the same as Tunnel Mode ...
    (microsoft.public.windowsxp.work_remotely)