Re: AD Authentication on a DMZ ?
- From: Eric <Eric_m@xxxxxxxxxxxxxxxxxx>
- Date: Thu, 02 Apr 2009 11:35:06 +0200
Thanks Paul but again I dont think it is the right KB for my problem (perhaps my english is not good enough, sorry :D)
I am asking about a general security architecture conception.
How can I publish an application that is on my DMZ and that is using Active Directory authentication ?
Thanks :)
Look at the ports defined as client in the link below. I though I detailed them but I didn't sorry.
http://support.microsoft.com/kb/179442/en-us
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Eric" <Eric_m@xxxxxxxxxxxxxxxxxx> wrote in message news:mn.0b827d94d2c74f5f.70874@xxxxxxxxxxxxxxxxxxxxxHello Paul,
thanks for your answer.
Unfortunately, we are not running 2008, so the RODC solution is not possible.
The ports listed in our article only refers to ports needed to be open for replication, right ?
In my situation, I dont want to put a domain controller on the DMZ for security reason. I would prefer to let the DC on the LAN and to configure my IIS Webserver (for example) in the DMZ to use "AD Authentication".
But my question is "which ports do I need to open to permit only the authentication from a server in a DMZ to a DC in my LAN" ?
Thanks
Microsoft is supposed to release their blueprints for an rodc in the dmz (Hopefully) within the month (At least that is what I heard at TEC last week). If you are running 2008 that would be the way to go.
Otherwise, check out an article I have on what specifically the client needs to log on at:
http://www.pbbergs.com/windows/articles.htm
Select Firewall ports needed for replication
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Eric" <Eric_m@xxxxxxxxxxxxxxxxxx> wrote in message news:mn.0b077d94e8fe9676.70874@xxxxxxxxxxxxxxxxxxxxxHello,
we have some applications that are using our Active directory for the user authentication.
Those applications are in our DMZ and our DCs are in our LAN.
My questions are :
1. Is it secure to use AD authentication for applications located in DMZ ? (ADAM (with an AD Sync) should be better ?)
2. if "I dont have the choice" for this architecture, which ports do I need to open from my applications servers to my DCs ?
Thanks ! :)
-- Eric
-- Eric
--
Eric
.
- Follow-Ups:
- Re: AD Authentication on a DMZ ?
- From: Paul Bergson [MVP-DS]
- Re: AD Authentication on a DMZ ?
- From: Meinolf Weber [MVP-DS]
- Re: AD Authentication on a DMZ ?
- References:
- AD Authentication on a DMZ ?
- From: Eric
- Re: AD Authentication on a DMZ ?
- From: Paul Bergson [MVP-DS]
- Re: AD Authentication on a DMZ ?
- From: Eric
- Re: AD Authentication on a DMZ ?
- From: Paul Bergson [MVP-DS]
- AD Authentication on a DMZ ?
- Prev by Date: Re: GPO's to disable software installation?
- Next by Date: Permission to read only parent object
- Previous by thread: Re: AD Authentication on a DMZ ?
- Next by thread: Re: AD Authentication on a DMZ ?
- Index(es):
Relevant Pages
|
Loading
