No announcement yet.

Domain machines in DMZ

  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain machines in DMZ


    I have a requirement to put a windows server 2003 machine into our DMZ zone.
    The machine is currently joined to the domain "domaina.local" on the LAN zone.

    If I move the machine to the DMZ, do I need to open firewall ports so that active directory on the LAN can still communicate with the machine and vice versa? to avoid problems....

    Or do I need to put a DC into the DMZ and open ports so the DC's in LAN can talk to DC's in DMZ?

    Or is it happy to live in the DMZ without ever having communication with the AD?

    Any help appreciated.

  • #2
    Re: Domain machines in DMZ

    If your member server needs to belong to the domain, and thus communicate with the DCs from the DMZ, then yes, appropriate fireall ports need to be opened.

    I would not recommend putting your DC in the DMZ.

    And if you do open the necessary ports, I would strongly consider the following options:

    • ACLs on the firewall rules, to only permit traffic from the specific host to the required DC addresses.
    • requiring encryption on the connection between the DCs and that specific host.

    if it doesn't communicate with the DC, eventually it will get deactivated within the domain, and you won't be able to use domain logons on the machine. Does it definitely need domain authentication?
    Please do show your appreciation to those who assist you by leaving Rep Point


    • #3
      Re: Domain machines in DMZ


      Well to tell you a bit more...

      We have just setup our first sharepoint site (2007) on the LAN and now we have a requirement for our partners to access a "shared" site (a NEW site) which we want to host in a different zone on the firewall.

      However, we want our current central admin to control this sharepoint server....

      We would also like the data of the partners sharepoint site to be hosted on a seperate SQL Server in the new zone.