RE: [ActiveDir] Sharepoint in the DMZ

[Ramon Linan]

Title: Sharepoint in the DMZ

No problem at all, he is actually living in MD.   Let me know if you would like his contact info.   Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, Russ Sent: Thursday, September 14, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Sharepoint in the DMZ Thank you   Is he in NY?   Thanks Russ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Wednesday, September 13, 2006 9:14 AM To: ActiveDir@mail.activedir.org Subject: FW: [ActiveDir] Sharepoint in the DMZ     Hi Russ,   I have a friend with a lot of experience as Sharepoint administrator in different environments, this is what he suggested.       BTW, although he is currently working in the same company than me, he is looking to move to another company, in case you need someone.   Rezuma             They should only open port 443 from the internet and use SSL if it will be used with AD users. If it’s dual purpose for outlook web access, it still only needs 443. You can hide the purpose of this port from port scanners by using a load balancer or port redirection.   When connecting servers in the DMZ to servers on the inside, the “best” way is to create a IPSec tunnel from web server to inside (dbase or exchange)) server using the MS built in networking and run the tunnel over a non-standard port such as 5066. That will minimize how many ports are open from the DMZ to inside and will also take care of forgetting to open a port or two when more traffic needs to pass such as NetBIOS or AD type traffic. Because it’s a non-standard port, it makes it harder to find and identify for specific exploit types such as SQL injection on port 1433 against SQL server.   I don’t have an opinion on using a child domain, it will work fine but if security is the reason, I’d build a separate domain and use a trust maybe.   What do you think?   Dan     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, Russ Sent: Tuesday, September 12, 2006 10:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Sharepoint in the DMZ Hi all I have a consultant that wants to put Sharepoint into our DMZ.  Here is what he is proposing to do: Create a child domain and put the Sharepoint computer account in the child domain Put Sharepoint server in our DMZ. Open up the same ports for Sharepoint that we would open for Outlook Web Access Also open port 1433 for SQL Since I don’t know much about Sharepoint, I was hoping someone would be to let me know if this has been done in the past and if it's safe. Thank you Russ