Re: Active Directory Authentication and DMZ server

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: "Augusto Alvarez" <augustoalvarez@xxxxxxxxxxxxxx>
Date: Sun, 16 Nov 2008 14:05:55 -0200

Your problem doesnt seem to be related to ADAM (or LDS) nor ADFS. I think there's more a DMZ and Firewall configuration.

Check this posts about the configuring domain members in a DMZ network with a back-to-back FW configuration using ISA Server, there you should find a similar scenario:

http://www.isaserver.org/tutorials/Configuring-Domain-Members-Back-to-Back-ISA-Firewall-DMZ-Part1.html
http://www.isaserver.org/tutorials/Configuring-Domain-Members-Back-to-Back-ISA-Firewall-DMZ-Part2.html
http://www.isaserver.org/tutorials/Configuring-Domain-Members-Back-to-Back-ISA-Firewall-DMZ-Part3.html

On the Part 3 you will find that the key aspect of making the servers capable to join a domain, is adding a statis route on DMZ so it can communicate with internal hosts using the back-end FW:

"route add –p 10.0.0.0 MASK 255.255.255.0 10.0.1.2"

Where 10.0.0.0 is the network ID for the corporate network behind the ISA firewall, 255.255.255.0 is the subnet mask for that network ID, and 10.0.1.2 is the IP address on the external interface of the back-end ISA firewall.

Hope it helps

Cheers

--
augusto alvarez | it pro | southworks
MCP - MCTS - MCITP DBA
http://blogs.southworks.net/aalvarez

"Sukhwinder Singh" <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:F2A2EB50-93E4-43B0-BD50-4401B1BCF565@xxxxxxxxxxxxxxxx

Dear All,

We have a requirement in our organisation that all the application and
internet facing servers in the organisation should be the part of Active
Directory Domain. We have many servers in DMZ zones and the Domain
controllers are there in LAN zone. We need to have all the DMZ servers to be
authenticated to Active Directory but we cannot open and Firewall port. So we
cannot go for IPSEC.

I would request all to help me in this regard as to if ADFS or ADAM can help
me with the same. If any other solution is there please let me know.

Thanks and Regards

Sukhwinder Singh

References:
- Active Directory Authentication and DMZ server
  - From: Sukhwinder Singh

Prev by Date: Re: Please help refresh my memory on AD DC
Next by Date: Re: import Reservation address to DHCP from txt or xml file
Previous by thread: RE: Active Directory Authentication and DMZ server
Next by thread: Re: Active Directory Authentication and DMZ server
Index(es):
- Date
- Thread

Relevant Pages

Re: Securing the DMZ and Trusted domain with a firewall
... you can setup firewall to have DMZ completely separate, ... > separated by a Cisco Pix 520 firewall. ... All servers in the DMZ and trusted are multi ... > WINS and DHCP in the trusted domain. ...
(microsoft.public.security)
Re: AD requirements for DMZ?
... By standards it is a bad idea to have dc's in a dmz even if they are only used for external access. ... Consider creating a 2008 AD and firewall off the RWDC and provide the RODC's themselves unfettered access to the RWDC. ... In our internal lab environment, we have 3 servers setup as Windows NLB. ...
(microsoft.public.windows.server.active_directory)
RE: Basic Network Configuration
... Yes, mail servers, web servers, ftp etc are your DMZ buddies. ... firewall> dmz> firewall> lan layout but physically it does not. ...
(Security-Basics)
Re: Moving servers beind firewall
... >> I need to move two servers from outside a firewall to a DMZ. ... >> from both the internet and internal segments. ... I may as well keep those servers outside the ...
(comp.os.linux.security)
Re: Svr-03 and DMZ
... If you use the back-to-back firewall model there is an additional firewall between the DMZ and the private LAN. ... The best candidates for a DMZ are servers which need to be accessed routinely from the Internet but only occasionally or never from the LAN. ...
(microsoft.public.windows.server.networking)