Announcement

Collapse
No announcement yet.

domain authentication in DMZ

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • domain authentication in DMZ

    Can anyone tell me what minimum ports are required to allow DMZ hosts membership to the inside domain of a firewall?

    Microsoft provides a complete list although I believe this list more than what I need http://support.microsoft.com/kb/179442. I'm running a 2003 native domain (all members are 2003 or XP) on the inside of the firewall and want members (2003 and XP) on the DMZ to join (no DC in DMZ).

    Thanks!

  • #2
    Re: domain authentication in DMZ

    I don't get it. You have the link to the MS article that tells you what ports to open up but you don't beleive it so you ask this forum. Why don't you start with following the article and see what happens from there.

    When you buy a coffee and the cup has a label that says "Caution Hot" do you gulp it down because you don't beleive it as well?

    When your doctor says to not smoke because you'll get cancer do you smoke anyway because you don't believe him?

    When you see a sign that says "Do Not Touch: High Voltage" do you touch it anyway because you don't believe it?

    Not to be rude but my point is that if I wanted to do something I would follow the manufacturer's recommendations first (MS in this case) and then seek the input of others if the manufacturer's recommendations don't work.

    Comment


    • #3
      Re: domain authentication in DMZ

      Thanks for the candid response...my thoughts were that some ports listed are perhaps non-essential for my application, i.e. ldap, rpc, etc...I just want to authenicate to a domain controller using kerberos with name resolution.

      Comment


      • #4
        Re: domain authentication in DMZ

        Although I think it isn't smart to authenticate through a firewall, yes you need the ports what Microsoft tells you.
        Otherwise, you always can print out the document from Microsoft and open each port one by one and test it out...
        Hopefully you have some spare time
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: domain authentication in DMZ

          Originally posted by Dumber View Post
          Although I think it isn't smart to authenticate through a firewall...

          Dumber what would you recomend in its place of authenticating thru the firewall???
          I ask becuase I have a webserver in the DMZ but I want to run FTP on it authenticating with the DC.

          Sorry if this is off topic.

          Comment


          • #6
            Re: domain authentication in DMZ

            You can better use local accounts for using FTP.
            With Domain Authentication you need to open way to many ports and it doesn't make it more secure.
            Also I wouldn't recommend to place any member of a domain into a DMZ but use a own domain or workgroup.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: domain authentication in DMZ

              I would try to avoid this setup as much as I can. As you have notices, having a host in DMZ authenticating against an internal DC requires a LOT of ports being open and introduces high-risk attack vector.

              What I would try to do is:

              1) Setup AD/AM (or AD LDS if you like it's new name) in DMZ to sync only a pre-defined set of accounts that will be used for authenticating in DMZ (as a minimum filtering out all the accounts will administrative permissions in AD)
              (see http://forums.petri.com/showthread.php?t=10879 for more info about this kind of setup)

              2) Use AD/AM as authentication source for your FTP. Not sure IIS6 can handle this, but IIS7 I believe should. Any decent non-MS FTP server will happily do LDAP authentication too.
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"

              Comment


              • #8
                Re: domain authentication in DMZ

                Hmmm still you need to open ports to your internal networks which is not done in my opinion.
                Rather I would recommend to setup the webserver with ftp and local accounts and allow ftp traffic from internal to the webserver and not visa versa.

                I don't know what AD/AM is, but I'm sure that you need to open at least LDAP from the DMZ to the internal network
                I'm pretty sure IIS 6 can't handle this.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment

                Working...
                X