Good luck, Jason. :) -ASB
On 9/8/05, Jason B <[EMAIL PROTECTED]> wrote: > Al, Brian and others - thanks! > > I wasn't involved in the original plan for setting this extranet up, but > overheard talk about it and didn't like the plans everyone else was making > for my AD infrastructure. So I jumped into the fray after all the decisions > had been made and hardware/software purchased, but better late than never. > Originally, they wanted it set up with the SP server in the DMZ and ports > opened to the LAN to "make it work" talking to SQL and AD. The plan had > them putting extranet users and clients in our internal AD domain and giving > non-technical employees the ability to add/remove clients from an OU. Bad > mojo. > > I was able to convince them to allow me to set up the SP server as a DC in a > new forest so as to avoid putting the extranet users in our AD domain. That > was the "easy" part. Another SQL license is definitely not in the budget, > so that was an easy decision. Now, I am going to try to convince them to > move the SP server into the LAN side, close the ports from the DMZ to LAN > and throw ISA server in the DMZ to serve up the extranet clients. I think I > can get them to go for it with some doom and gloom scenarios. > > Again, thanks for the suggestions and advice. > > --Jason > > ----- Original Message ----- > From: "Brian Desmond" <[EMAIL PROTECTED]> > To: <ActiveDir@mail.activedir.org> > Sent: Thursday, September 08, 2005 3:14 PM > Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with > AD & SQL... > > > >I am, perhaps unfortunately, quite familiar with Sharepoint. > > > > Your sharepoint server like any other member server can be a member of one > > domain. If your extranet users are in a domain trusted by the server's > > domain or another domain in the forest, you can just service them with > > multiple portals. You can have up to I think its 50 portals per frontend. > > Of > > course, I don't really recommend having your extranet accounts in your > > corp > > forest... > > > > I used to have my sharepoint environment sitting in a "DMZ" subnet. It was > > hell dealing with the spaghetti mess of ports on the checkpoints. Now we > > have this special subnet that the WAN people call the AD Load Balanced > > subnet. It's a class C that sits on the Cisco CSM and SSM modules in a > > couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and they > > have all the ports for domain joined machines open from that subnet to the > > DCs. It's actually pretty easy. The Windows folks gave the WAN folks a > > comprehensive list of ports that need to be open for AD, a/v, mgmt, etc, > > and > > they made PIX and Checkpoint rules for that subnet. Now when we need to > > load > > balance anything domain joined, the servers just go in this subnet, they > > setup the CSMs, and then the firewall people just have to add additional > > special rules (like connecting to SQL, for example). > > > > > > Thanks, > > Brian Desmond > > [EMAIL PROTECTED] > > > > c - 312.731.3132 > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Jason B > > Sent: Thursday, September 08, 2005 4:37 PM > > To: ActiveDir@mail.activedir.org > > Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate > > with > > AD & SQL... > > > > This has been a GREAT discussion and I have received a lot of useful info. > > I really appreciate the replies, suggestions, slams and help. I think I > > am > > going to revisit trying to have the sharepoint server moved to the LAN and > > see if I can't convince the powers that be to apportion an ISA license and > > hardware appropriate for running ISA to put on the DMZ. We already have a > > sharepoint server on the LAN... I am not too familiar with sharepoint, > > but > > I wonder if the existing sharepoint server can handle both the internal > > and > > external users... That's a question for another group, I guess. > > > > Anyway, I gathered quite a bit from the posts and discussion, but what are > > the main specific and concrete points that I am going to want to bring up > > to > > > > dissuade them from having the sharepoint server on the DMZ? My expertiese > > isn't in the hardware/networking aspect of configuration, but I know > > enough > > that I am not comfortable opening all the ports for AD auth from the DMZ > > to > > the LAN. Our network admin didn't think that it was a big deal to open > > the > > ports since it was "only on the DMZ" and he could control the traffic that > > was allowed to the DMZ. > > > > > > ----- Original Message ----- > > From: "Al Mulnick" <[EMAIL PROTECTED]> > > To: <ActiveDir@mail.activedir.org> > > Sent: Wednesday, September 07, 2005 5:04 PM > > Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate > > with > > AD & SQL... > > > > > > Looks like we have plenty of ideas and opinions ;) > > > > ISA is a great way to deal with this, but I believe the decision was made > > to > > > > put the SP machine in the DMZ regardless of the technical merit or > > viability. And whether or not it is a good idea. That said, ISA doesn't > > offer much if you put it AND this machine in a semi-trusted network (for > > whatever that means these days.) > > > > Shame there's no leeway though. The downside to using IPSec is that as > > others have pointed out, it won't work on member server <->DC for W2K > > servers (limitation of the OS) but will for 2K3 member servers but that > > still leaves you with a secure channel from the DMZ host to your internal > > network. That means you can't monitor the traffic from the DMZ to your > > internal network because it's encrypted (sounds like a broken record, I > > know.) > > > > Too bad you can't sway the decision makers to do this differently. But > > hopefully you've received a lot of ideas to pick from. > > > > Best of luck, > > Al > > > > > > > > ________________________________ > > > > From: [EMAIL PROTECTED] on behalf of Bernard, Aric > > Sent: Wed 9/7/2005 7:40 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate > > with > > AD & SQL... > > > > > > > > I agree with Phil - I think using an ISA (or other reverse proxy solution) > > is the best way to go given your constraints. > > > > > > > > Using a reverse proxy solution allows you the following: > > > > 1. Keep you Sharepoint server behind the firewall, yet make it accessible > > to > > > > external clients as if it was in the DMZ. > > 2. Restrict your [additional] holes through the firewall to only that > > needed > > > > by the reverse proxy solution to interact with the Sharepoint server (port > > 80). > > > > > > > > BTW - this scenario is becoming extremely common. The next common > > addition > > you will see to this will likely be the use of ADFS to provide an identity > > trust bridge between the internal forest and a partner forest (or other > > identity system). > > > > > > > > Regards, > > > > > > > > Aric Bernard > > > > > > > > ________________________________ > > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf > > Sent: Wednesday, September 07, 2005 9:20 AM > > To: ActiveDir@mail.activedir.org > > Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate > > with > > AD & SQL... > > > > > > > > I would look at putting the Sharepoint server on the internal network and > > deploy an ISA server in the DMZ and use Web Publishing or Server > > Publishing > > to get your external clients access to the site. If you want to open > > access > > from the DMZ to your AD Forest your firewall will be swiss cheese from all > > the ports than need to be open. > > > > > > > > If you absolutely HAVE to then I would prefer to look at using IPSec for > > communication between the Sharepoint box and your DC's. That leaves you > > only > > > > needing the IPSec port open and not the very large number of ports to > > support AD communication. > > > > > > > > http://support.microsoft.com/kb/q179442/ > > > > > > Phil > > > > > > On 9/7/05, Jason B <[EMAIL PROTECTED]> wrote: > > > > Because this will be a sharepoint server for clients. Regardless, that > > decision has already been made and I don't have any input into it. > > Any info on the ports I'd need open? > > > > ----- Original Message ----- > > From: "ASB" <[EMAIL PROTECTED]> > > To: < ActiveDir@mail.activedir.org <mailto:ActiveDir@mail.activedir.org> > > > Sent: Wednesday, September 07, 2005 8:45 AM > > Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate > > with > > AD & SQL... > > > > > > Why did you decide to put it in the DMZ? > > > > -ASB > > > > On 9/7/05, Jason B <[EMAIL PROTECTED]> wrote: > >> We are putting a MS sharepoint server in the DMZ and need to have it on > >> the > >> domain and communicating with a SQL server on the domain. Because of > >> these > >> needs, we only want to open the minimum number of ports to get > >> functionality. We have LDAP (389) opened and SQL (1433) opened. What > >> other > >> ports will we need to open to be able to log in on the sharepoint server > >> with a domain account? Currently, with only these two ports opened, a > >> domain account can't log on to the sharepoint server in the DMZ. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
