Re: Ports to open for a one-way trust

From: Justified Geek (JustifiedGeek_at_discussions.microsoft.com)
Date: 01/24/05 

Date: Mon, 24 Jan 2005 14:35:03 -0800

That was a great article, (I had read it before), but it addressed full blown
replication...

What I'm looking to do is limit the amount of information kept in the
"private net" tier’s domain controllers to a minimum, and provide trusted
Kerberos authentication, without having to unnecessarily constrain (and
complicate) my internal domain controllers' methods of replication.
Look at it as if the DMZ forest were an associate’s domain on an “extranet”,
which wanted to provide us authenticated access to their company’s servers.

I have yet to come across an article on that specific scenario, and it’s
implications in regard to the firewall rules.

Even so, Thank You for the responce, I can see where the information has
relevance.

Paul

"Steven L Umbach" wrote:

> See the link below to a great article on how to do this. Pay particular
> attention to the part on "dynamic" RPC and how to configure it and the
> firewall for best security. FYI you may also want to consider using Remote
> Desktop to manage the DMZ computers and you will need to only open port 3389
> TCP in the firewall or depending on your firewall capabilities you may just
> want to create ipsec endpoints to tunnel between the networks. --- Steve
>
> http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
>
> "Justified Geek" <JustifiedGeek@discussions.microsoft.com> wrote in message
> news:587EBD3D-CCB6-4A7D-996E-BEADB45D930D@microsoft.com...
> > We are configured in a three tier network.
> >
> > The first tier is the demilitarized zone (or DMZ), where machines from the
> > internet can access the resources. (This is commonly referred to as the
> > exposed network.)
> >
> > The second tier (behind a firewall) is the "private net", which contains
> > resources available to the servers in the DMZ network, but the resources
> > are
> > not directly available to machines on the internet. Data which resides
> > here,
> > or is available through here, would have to be presented by the servers in
> > the DMZ to machines on the internet.
> >
> > The third tier (behind another firewall) is the subnets in our corporate
> > intranet. Machines in the first tier or on the internet are not allowed
> > to
> > initiate connections through this firewall, and only specific ports are
> > available from specific machines on the second tier to initiate
> > connections.
> >
> > The machines on the first and second tiers currently use local
> > authentication. The machines on the corporate intranet authenticate to a
> > native Windows 2003 Active Directory domain/forest.
> >
> > We wish to place a separate Windows 2003 Active Directory domain/forest in
> > the first and second tiers (with the domain controllers located in the
> > second
> > tier), and establish a one way trust with our corporate forest. This way
> > staff authenticated in the corporate domain can be assigned rights to
> > resources in the new "internet" domain, and we can reduce the
> > administrative
> > overhead of maintaining local security accounts and rights.
> >
> > What I need to know is: What is the MINIMUM set of TCP and UDP port
> > connections which need to be assigned on the firewall as being allowed to
> > be
> > established from the domain controllers in the second tier "private net"
> > through the firewall to our corporate intranet domain controllers in order
> > to
> > establish and use this one way trust? And, can any of those be closed once
> > the trust is established?
> >
> > --
> > Thank you,
> >
> > GLYASDI,
> >
> > Paul
>
>
>

Relevant Pages

  • Re: Ports to open for a one-way trust
    ... TCP in the firewall or depending on your firewall capabilities you may just ... > We are configured in a three tier network. ... > not directly available to machines on the internet. ... > native Windows 2003 Active Directory domain/forest. ...
    (microsoft.public.windows.server.networking)
  • Re: [fw-wiz] Firewalling at the domain users level instead of network level
    ... > Some users may login at different machines, therefore, ip level is not ... You could use transparent proxies with user authentication. ... Well, so basically what i want, is a firewall similar to a ISA ... Paul D. Robertson "My statements in this message are personal opinions ...
    (Firewall-Wizards)
  • Re: Norton 2005 Int Security, Trend PCcillin or Zone Alarm ???????
    ... > I want security I can run on both machines. ... System overhead is higher than standard firewall applications. ... Symantec products do not remove (uninstall) well. ... Micro Trends PC-Cillan is very good (possibly the best in home network ...
    (alt.computer.security)
  • Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
    ... Used Outlook in Safe Mode, ... For testing, client and server are on the same network, so no proxy server. ... Please first select "Integrated Windows Authentication" on the PRC virtual ... Disable firewall or antivirus on PC, ...
    (microsoft.public.exchange.admin)
  • Re: Setting Up A WorkGroup for file and Share Printing
    ... Tried that amd could access only one of the two drives, the D drive, however ... I Turned off NIS 2008 firewall ... I made sure the Registry setting "IRPStackSize" on both machines ... Here are general network troubleshooting steps. ...
    (microsoft.public.windowsxp.network_web)