FW: [ActiveDir] Sharepoint in the DMZ

Wed, 13 Sep 2006 06:14:56 -0700

Title: Sharepoint in the DMZ
 

 
Hi Russ,
 
I have a friend with a lot of experience as Sharepoint administrator in different environments, this is what he suggested.
 
 
 
BTW, although he is currently working in the same company than me, he is looking to move to another company, in case you need someone.
 
Rezuma



            They should only open port 443 from the internet and use SSL if it will be used with AD users. If it’s dual purpose for outlook web access, it still only needs 443. You can hide the purpose of this port from port scanners by using a load balancer or port redirection.

 

When connecting servers in the DMZ to servers on the inside, the “best” way is to create a IPSec tunnel from web server to inside (dbase or exchange)) server using the MS built in networking and run the tunnel over a non-standard port such as 5066. That will minimize how many ports are open from the DMZ to inside and will also take care of forgetting to open a port or two when more traffic needs to pass such as NetBIOS or AD type traffic. Because it’s a non-standard port, it makes it harder to find and identify for specific exploit types such as SQL injection on port 1433 against SQL server.

 

I don’t have an opinion on using a child domain, it will work fine but if security is the reason, I’d build a separate domain and use a trust maybe.

 

What do you think?

 

Dan

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, Russ
Sent: Tuesday, September 12, 2006 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Sharepoint in the DMZ

Hi all

I have a consultant that wants to put Sharepoint into our DMZ.  Here is what he is proposing to do:

  • Create a child domain and put the Sharepoint computer account in the child domain
  • Put Sharepoint server in our DMZ.
  • Open up the same ports for Sharepoint that we would open for Outlook Web Access
  • Also open port 1433 for SQL

Since I don’t know much about Sharepoint, I was hoping someone would be to let me know if this has been done in the past and if it's safe.

Thank you

Russ

Reply via email to