|
In supporting a extranet/intranet/internet application are there any technotes or whitepapers on firewalls and AD?I have scoured the MS site, I have read the Internet Data Center Reference Design, but my ideas are a bit more complex. We have a firewall design that includes 4 segments and may include more for specific extranets in the future. We have an internal segment for our regular network, an Internet segment, a Public DMZ, and a Private DMZ. The Public DMZ can communicate outbound to the Internet, in general it should not initate connections to the Private DMZ. The Private DMZ can communicate outbound to the Public DMZ, in general it should not initate connections to the Internal Network. The Internal network can communicate outbound to the Internet or Private DMZ. I hope my ASCII art works =)
Internet The problem is supporting Web and Application servers across all of these segments. Some servers are for use by Internet users, yet the application still needs access to AD. Some are for Extranet users and these will have access thru a specified Extranet DMZ. The Extranet Users will exist in AD and need to authenticate against AD. Several backend servers host databases and other applications and feed data to the web servers on the Public and Extranet DMZ's. These servers need to access AD as well. All of the above are member servers and currently there are to DC's for an independent AD domain in the Private DMZ servicing all of those needs. Minimal holes are poked through the firewall to allow authentication in the directions of Public DMZ ->Private DMZ and Extranet DMZ ->Private DMZ. All of this works. The problem is opening this same application up to internal users and our internal AD. The development team would like to leverage the effort and infrastructure invested for this app and include all internal users. This would require the web, application, and database servers to be able to authenticate internal users. Either by being a member of the internal domain or through trusts. Win2k3 is not here yet so I have 2 options as I see it. I dont want to use a MetaDirectory solution at this time. 1) Make those servers a part of my internal AD domain. Or 2) make a subdomain for those servers. Either solution requires me to replace the 2 DC's in the Private DMZ with DC's that replicate internally. AD Replication's use of RPC then becomes a problem. Clients across a firewall is not a big issue, but Domain Controller replication over RPC is a pain! I can either specify a range of 20 ports for RPC to use and leave that gaping hole open, or I can open an IPSEC tunnel between DC's. But if one of the DC's on the Private DMZ becomes compromised then they have a IPSEC freeway into the internal network. Neither option seems good. If I choose to make a subdomain, then I assume I could use SMTP replication between the 2 domains. Will SMTP replication handle FRS replication as well? Can anyone direct me to further reading on this issue? Or explain my mistakes? |
- RE: [ActiveDir] AD & DMZ's Ninet Segar
- RE: [ActiveDir] AD & DMZ's Rick Kingslan
- RE: [ActiveDir] AD & DMZ's jim . katoe
- Re: [ActiveDir] AD & DMZ's jim . katoe
- FW: [ActiveDir] AD & DMZ's Mark Kelsay
- RE: [ActiveDir] AD & DMZ's Rick Kingslan
- RE: [ActiveDir] AD & DMZ's Mark Kelsay
- RE: [ActiveDir] AD & DMZ's Byrne, Steve
- RE: [ActiveDir] AD & DMZ's Roger Seielstad
