Re: Is it possible to create a secure AD environment for widely dispersed PC's behind other instiutions firewalls?

Chris,
Just to give a slightly fuller answer.
You can't run AD in that sort of dispersed environment by opening ports. The
firewalls would never allow it. Even if they did, they would have to put you
in a DMZ so as not to open up their whole network. You would on practice
have your machines open on the internet.
You could run IPSec between all the machines, in effect creating machine to
machine VPN's. This would be a large job to administer. You would also need
all the firewalls to allow your IPSec connections into their networks. This
is the best link I can find to give you an overview of this:
http://support.microsoft.com/kb/816514. If you were going down this route,
it would almost be simpler to provide your own small VPN router in front of
the remote computer and use that to create a VPN network.
All this assumes that you have sufficient control over the firewalls, but in
my experience it is very hard to manage or co-ordinate these sort of changes
to firewalls. Most people are fairly reluctant to allow stuff in, and it can
be difficult and time consuming to troubleshoot problems. You can't see the
firewall rules, so you have to rely on them to help you make it work.
I mentioned Webex for two reasons. One is that it is hard to manage any
remote machine if you don't have access. As you say, there are several
alternatives for this. The second is that they also provide agents that give
you the control you were asking for. These are an OEM version of Everdream,
which was recently bought by Dell. There are other ways of doing this as
well. As I said, we manage servers fully behind firewalls that we don't
control, and without AD.
Hope that helps,
Anthony
http://www.airdesk.co.uk




"Anthony [MVP]" <anthony@xxxxxxxxxxxx> wrote in message
news:OjsjRfJ3IHA.2348@xxxxxxxxxxxxxxxxxxxxxxx
Chris,
If you have enough control over the firewalls you could use IPSEC, yes,
Anthony,
http://www.airesk.co.uk


"Chris Swinney" <swin@xxxxxxxxxxxxx> wrote in message
news:OV4%23LuG3IHA.2336@xxxxxxxxxxxxxxxxxxxxxxx
Just to let you know, something similar can be done with different VNC
flavours, such as UltraVNC, using a repeater. Anyhow, this still does not
satisfy all requirements as previously illustrated



Even though we are going through foreign firewalls, we do have a certain
degree of sway with the Network managers' to allow certain traffic. Any
management traffic would need to be sent encrypted so I am wondering if
this could be sent using IPSEC or SSL so utilising just one or two open
ports/protocols.



Any further thoughts?

"Anthony [MVP]" <anthony@xxxxxxxxxxxx> wrote in message
news:%23Gj3pSE3IHA.3544@xxxxxxxxxxxxxxxxxxxxxxx
Chris,
VNC will not work through standard firewalls, but Webex Remote Access
will, because it is an outbound connection to an intermediary.
We manage remote servers fully without using AD.
Anthony,
http://www.airdesk.co.uk



"Chris Swinney" <swin@xxxxxxxxxxxxx> wrote in message
news:OoH8RID3IHA.4800@xxxxxxxxxxxxxxxxxxxxxxx
Many thanks for this. At a simple level, we already use remote
management tools such as VNC to manage some of these workstations,
however not all (because of firewall restraints) can be managed in this
way. Still, remotely managing the desktop is only part of the problem.
A central management point is required that is able to be use to push
out key changes to all desktops, maybe such as would be available using
Group Policy. In addition, some management applications (such as
software firewall policies) require AD integration.



Chris

"Anthony [MVP]" <anthony@xxxxxxxxxxxx> wrote in message
news:OldbPLA3IHA.2424@xxxxxxxxxxxxxxxxxxxxxxx
Chris,
AD is only one way of creating a shared security context between
machines. It would not work in your case, as the firewalls will not
allow AD traffic. Something like Webex Remote Access would allow you
to control all the machines.
Anthony,
http://www.airdesk.co.uk



"Chris Swinney" <swin@xxxxxxxxxxxxx> wrote in message
news:eZg1rG92IHA.5060@xxxxxxxxxxxxxxxxxxxxxxx
Or is this even a practical deployment senario for AD?


"Chris Swinney" <swin@xxxxxxxxxxxxx> wrote in message
news:%23c5Cz182IHA.4476@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

We maintain a wide network of PCs (Win 2000 and XP, approx 200-300
machines). Most of these are single use machines designed for use in
a Video Conference environment. The machines are effectively
standalone with public IP's, and they are deployed in various
institutions, some behind firewalls that we don't manage. Although
we have a certain amount of sway with the other network managers to
allow traffic to and from these machines, we obviously do not have
full control over ALL the traffic that can be passed to them.

I feel that if we can create a secure AD environment to centrally
manage these machines it would be beneficial. I'm not entirely sure
what ports/protocols need to be configured to allow AD traffic, and
then if this traffic can be secured across foreign firewalls.

Is there a way to create such an environment?

Many thanks for any insight or articles you may have.

Chris















.

Relevant Pages
Loading