Re: AD Authentication on a DMZ ?
- From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
- Date: Thu, 2 Apr 2009 10:22:14 +0000 (UTC)
Hello Eric,
I think the document applies to you. If i understand you correct, you have an application that need's to contact the DC in the LAN, therefore you have to open the ports in the firewall. Basically the DMZ should not contain domain internal servers like DC's, the reason for DMZ is to have servers connected to the internet relocated from the internal LAN.
Here are some additional ports to be opened for replication, if you still must use a DC in the DMZ:
http://support.microsoft.com/kb/555381
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Thanks Paul but again I dont think it is the right KB for my problem
(perhaps my english is not good enough, sorry :D)
I am asking about a general security architecture conception.
How can I publish an application that is on my DMZ and that is using
Active Directory authentication ?
Thanks :)
Look at the ports defined as client in the link below. I though I
detailed them but I didn't sorry.
http://support.microsoft.com/kb/179442/en-us
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Eric" <Eric_m@xxxxxxxxxxxxxxxxxx> wrote in message
news:mn.0b827d94d2c74f5f.70874@xxxxxxxxxxxxxxxxxxxxx
Hello Paul,
thanks for your answer.
Unfortunately, we are not running 2008, so the RODC solution is not
possible.
The ports listed in our article only refers to ports needed to be
open for replication, right ?
In my situation, I dont want to put a domain controller on the DMZ
for security reason. I would prefer to let the DC on the LAN and to
configure my IIS Webserver (for example) in the DMZ to use "AD
Authentication".
But my question is "which ports do I need to open to permit only the
authentication from a server in a DMZ to a DC in my LAN" ?
Thanks
Microsoft is supposed to release their blueprints for an rodc in-- Eric
the dmz (Hopefully) within the month (At least that is what I heard
at TEC last week). If you are running 2008 that would be the way
to go.
Otherwise, check out an article I have on what specifically the
client
needs to log on at:
http://www.pbbergs.com/windows/articles.htm
Select Firewall ports needed for replication
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Eric" <Eric_m@xxxxxxxxxxxxxxxxxx> wrote in message
news:mn.0b077d94e8fe9676.70874@xxxxxxxxxxxxxxxxxxxxx
Hello,
we have some applications that are using our Active directory for
the user authentication.
Those applications are in our DMZ and our DCs are in our LAN.
My questions are :
1. Is it secure to use AD authentication for applications located
in DMZ
? (ADAM (with an AD Sync) should be better ?)
2. if "I dont have the choice" for this architecture, which ports
do I
need to open from my applications servers to my DCs ?
Thanks ! :)
-- Eric
.
- Follow-Ups:
- Re: AD Authentication on a DMZ ?
- From: Eric
- Re: AD Authentication on a DMZ ?
- References:
- Re: AD Authentication on a DMZ ?
- From: Eric
- Re: AD Authentication on a DMZ ?
- Prev by Date: Permission to read only parent object
- Next by Date: Re: ADAM step by step lab vbscripts missing creat userProxy objects
- Previous by thread: Re: AD Authentication on a DMZ ?
- Next by thread: Re: AD Authentication on a DMZ ?
- Index(es):
Relevant Pages
|
