In supporting a extranet/intranet/internet application are there any
technotes or whitepapers on firewalls and AD?I have scoured the MS
site, I have read the Internet Data Center Reference Design, but my ideas
are a bit more complex. We have a firewall design that includes 4
segments and may include more for specific extranets in the future. We have
an internal segment for our regular network, an Internet segment, a Public
DMZ, and a Private DMZ.
The Public DMZ can communicate outbound to the Internet, in general it
should not initate connections to the Private DMZ. The Private DMZ can
communicate outbound to the Public DMZ, in general it should not initate
connections to the Internal Network. The Internal network can
communicate outbound to the Internet or Private DMZ.
I hope my ASCII art works =)
Internet
^
|
Public
DMZ
<--------------Checkpoint----------------->Extranet DMZ
Private
DMZ
<------------- FW-1
|
^
Internal
Network
The problem is supporting Web and Application servers across all of these
segments. Some servers are for use by Internet users, yet the
application still needs access to AD. Some are for Extranet users and
these will have access thru a specified Extranet DMZ. The Extranet
Users will exist in AD and need to authenticate against AD. Several
backend servers host databases and other applications and feed data to the
web servers on the Public and Extranet DMZ's. These servers need to
access AD as well. All of the above are member servers and
currently there are to DC's for an independent AD domain in the Private DMZ
servicing all of those needs. Minimal holes are poked through the
firewall to allow authentication in the directions of Public DMZ
->Private DMZ and Extranet DMZ ->Private DMZ. All of
this works.
The problem is opening this same application up to internal users and our
internal AD. The development team would like to leverage the
effort and infrastructure invested for this app and include all internal
users. This would require the web, application, and database servers
to be able to authenticate internal users. Either by being a member of
the internal domain or through trusts. Win2k3 is not here yet so I
have 2 options as I see it. I dont want to use a MetaDirectory
solution at this time.
1) Make those servers a part of my internal AD domain. Or 2) make a
subdomain for those servers.
Either solution requires me to replace the 2 DC's in the Private DMZ with
DC's that replicate internally.
AD Replication's use of RPC then becomes a problem. Clients across
a firewall is not a big issue, but Domain Controller replication over RPC is
a pain! I can either specify a range of 20 ports for RPC to use
and leave that gaping hole open, or I can open an IPSEC tunnel between
DC's. But if one of the DC's on the Private DMZ becomes compromised
then they have a IPSEC freeway into the internal network.
Neither option seems good.
If I choose to make a subdomain, then I assume I could use SMTP
replication between the 2 domains. Will SMTP replication handle FRS
replication as well?
Can anyone direct me to further reading on this issue? Or explain
my mistakes?
