Ok, I fired off a quick email and got a quick response. That blog applies to 'server 2008' but not 'server 2008 r2'. I'm awaiting details regarding 'server 2008 r2' and how it differs. Apparently they "fixed it" in R2. I'll follow up when I have more details (and time).
TMG/UAG are the replacements (i.e., version upgrades with name changes) to ISA. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: David Lum [mailto:david....@nwea.org] Sent: Monday, November 29, 2010 5:42 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN Does it not matter that there are two firewalls involved? Or is the assumption here that an attacker can easily get past 443 and compromise the box in the DMZ? We can't use ISA and what is TMG/UAG? Dave -----Original Message----- From: Webster [mailto:carlwebs...@gmail.com] Sent: Monday, November 29, 2010 2:36 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN Had to see the doc for myself. http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx Still can't believe my eyes. It says: When there is no AD DS in the perimeter network, ideally the servers in the perimeter network should be in a workgroup, but the RD Gateway server has to be domain-joined because it has to authenticate and authorize corporate domain users and resources. Section 3.1 then tells you how to make swiss cheese of your firewall. Webster > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Subject: Re: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN > > Wow. > > MSFT actually says you should put domain members in a DMZ and allow > them to initiate traffic back into the production network? > > That's all fscked-up. > > If I put a machine in the DMZ, it's a member of a workgroup, and the > production network talks to it, not the other way around (except for > DNS, SMTP and - I forgot - syslog). I could also see a domain in the > DMZ, but no trusts back to the production network - I simply haven't > seen the need for anything of that scale in my work so far. > > Kurt > > On Mon, Nov 29, 2010 at 14:02, David Lum <david....@nwea.org> wrote: > > I'm simply following what is being preached but the Terminal Server > > / > Remote Desktop Services guides and documentation. Machines hit the > gateway (the only open port between it and the Internet is 443) and > users have to be authenticated before running only of the approved > applications. > > > > IPSec isn't even mentioned, oddly. > > > > Dave > > > > -----Original Message----- > > From: Kurt Buff [mailto:kurt.b...@gmail.com] > > Sent: Monday, November 29, 2010 12:49 PM > > To: NT System Admin Issues > > Subject: Re: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in > > LAN > > > > Wouldn't it be simpler (and more secure) to put IPSec in place? Far > > fewer holes to poke in the firewall, for a start. > > > > I'm ignoring for a moment that it's sinful to have a machine in the > > DMZ auth (or start *any* conversation beyond perhaps DNS or SMTP) > > with a machine in the production network. > > > > Kurt > > > > > > On Mon, Nov 29, 2010 at 10:08, David Lum <david....@nwea.org> wrote: > >> I have a 2008 R2 server in a DMZ and I need it to authenticate it > >> with our AD but it tells me “domain is not available. > >> > >> > >> > >> Per this article: > >> > >> http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway- > deployment- > >> in-a-perimeter-network-firewall-rules.aspx > >> > >> > >> > >> I have the following firewall ruled from the DMZ server --> inbound. > >> RADIUS is not used. > >> > >> > >> > >> TCP/UDP 53 (DNS) --> DC’s > >> > >> TCP 88 (Kerberos) --> DC’s > >> TCP 135 (RPC) --> DC’s > >> > >> TCP/UDP 389 (LDAP) -- > DC’s, RDS servers TCP/UDP 443 (SSL) --> > >> DC’s, RDS servers > >> > >> TCP/UDP 24158 (WMI) --> RDS servers * (I set this port to be fixed > >> on the RDS servers) > >> > >> TCP 3389 (RDP) --> LAN > >> > >> TCP 5504 --> RDS Broker > >> > >> > >> > >> Do I also need to have TCP > 1024 opened up? I can’t log into this > >> system via a domain account. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
