Announcement

Collapse
No announcement yet.

2008 R2 replication over a FW

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2008 R2 replication over a FW

    We have a 2008 R2 domain in a 2003 functional level forest. We will be removing the one 2003 domain left and then promoting the forest to 2008 R2 native mode.

    We need to have one of our 2008 domains replicate over a firewall. After researching, there seem to be 3 ways to do it:

    1. Open everything needed in the FW
    2. Limit RPC traffic to a single port, then open FW
    3. Use IPsec for replication

    Any recommendations as to the best one? Any issues or problems that can arise with #2 or #3?

    Some experience from anyone who's done this before would be great. Thanks!

    -Andrew

  • #2
    Re: 2008 R2 replication over a FW

    Personally I would go for a site-to-site VPN between the two locations.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: 2008 R2 replication over a FW

      Site to Site VPN tunnel between your offices with no ports blocked would be the method i would employ, and do employ in our organisation.

      Comment


      • #4
        Re: 2008 R2 replication over a FW

        I should clarify - the two "locations" are in the same building. Does that change your recommendations?

        Comment


        • #5
          Re: 2008 R2 replication over a FW

          Can you give us a diagram showing where the firewall comes into it?
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: 2008 R2 replication over a FW

            Here's a crude drawing. Blue lines represent logical paths data take to get to the internet from our inside network.

            We want to put a domain controller/site in Tier 2.

            That help?
            Attached Files

            Comment


            • #7
              Re: 2008 R2 replication over a FW

              Perhaps the make and model of the firewall appliance, and some information about the physical path from subnet to subnet?

              If you own all the networking equipment, can you either create an unfiltered path (from subnet to subnet) through the firewall, or re-cable so only data to the internet passes through it?
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: 2008 R2 replication over a FW

                Yes, we own the FW eqipment. It's a Cisco 5520 I think, It's run by another group.

                We could certainly open whatever ports are necessary, but I'm trying to do it in the way that's the most secure, but not overly complicated. A balance between the two would be best. Tier2 and our Main network are separated by a FW for a reason.....we can't break that barrier completely.

                Comment


                • #9
                  Re: 2008 R2 replication over a FW

                  Originally posted by secutaudu View Post
                  Yes, we own the FW eqipment. It's a Cisco 5520 I think, It's run by another group.

                  We could certainly open whatever ports are necessary, but I'm trying to do it in the way that's the most secure, but not overly complicated. A balance between the two would be best. Tier2 and our Main network are separated by a FW for a reason.....we can't break that barrier completely.
                  How are your networks segregated??

                  If you're that concerned about security installing a DC in the site would be a bad idea.

                  Comment

                  Working...
                  X