Re: [ActiveDir] Extranet's
I'd think a single domain forest is plenty for an extranet solution. My current
employer runs an extranet (so to speak) of over 1 machines in a single
domain environment.
Roger
On Sun, Oct 24, 2004 at 08:57:06PM -0400, [EMAIL PROTECTED] wrote:
> We are looking at redesigning our extranet and are considering a
> separate forest for the extranet users and eventually most of the
> resources needed for the extranet will be put into that forest. My
> thinking is that since a domain isn't a true security boundary and it
> really won't cost us more to bring up a forest vs. domain why not go
> with a separate forest. The users in the extranet forest won't
> necessarily need access to the internal systems but some of the machines
> will need to talk to internal servers so I assume at some point we will
> need a trust relationship. My question is simply what am I missing and
> has anyone done similar setups?
>
>
> Holland + Knight
>
> Travis Abrams MCSE, GCIH
> Systems Engineer
> Holland & Knight LLP
>
> NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"),
> and is intended solely for the use of the individual(s) to whom it is
> addressed. If you believe you received this e-mail in error, please
> notify the sender immediately, delete the e-mail from your computer and
> do not copy or disclose it to anyone else. If you are not an existing
> client of H&K, do not construe anything in this e-mail to make you a
> client unless it contains a specific statement to that effect and do not
> disclose anything to H&K in reply that you expect it to hold in
> confidence. If you properly received this e-mail as a client,
> co-counsel or retained expert of H&K, you should maintain its contents
> in confidence in order to preserve the attorney-client or work product
> privilege that may be available to protect confidentiality.
>
>
>
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extranet's
Thanks to everyone for the feedback. The tip on selective
authentication is very interesting. I still plan to use the forest
concept but I do appreciate the ideas.
Holland + Knight
Travis Abrams MCSE, GCIH
Systems Engineer
Holland & Knight LLP
NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"),
and is intended solely for the use of the individual(s) to whom it is
addressed. If you believe you received this e-mail in error, please
notify the sender immediately, delete the e-mail from your computer and
do not copy or disclose it to anyone else. If you are not an existing
client of H&K, do not construe anything in this e-mail to make you a
client unless it contains a specific statement to that effect and do not
disclose anything to H&K in reply that you expect it to hold in
confidence. If you properly received this e-mail as a client,
co-counsel or retained expert of H&K, you should maintain its contents
in confidence in order to preserve the attorney-client or work product
privilege that may be available to protect confidentiality.
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extranet's
Return Receipt Your RE: [ActiveDir] Extranet's document : was Justin Leney/US/DCI received by: at: 10/26/2004 08:42:44 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extranet's
I have found TS to be quite useful for external access to internal
resources. Yes, a pain to setup at times etc and we are not using it for
anything complex but I have created specific usernames and passwords for
specific actions / access to specific resources. Under the Environment Tab I
tick "Start the following program at logon" and enter the relevant details.
When the account is used only the application loads and you get no desktop.
As soon as the application is closed the TS session terminates.
Maybe not the best way to do things but for our purposes it keeps users
without a desktop and giving them only access to the application required.
Rodney
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil
Sent: Tuesday, 26 October 2004 1:12 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Extranet's
Good points, although for giving external users access to internal resources
I think Terminal Services is a bad idea if you are concerned enough about
security to be looking into a separate forest for your Extranet. Citrix has
much more flexibilty for giving access to internal resources in a setup like
this by using published applications and not a published desktop. This
allows you to lock the user down much better and limit them to only being
able to run the application and never getting to see a desktop. Still not as
secure as not having them login to your internal forest, but better than TS
that gives a user a full desktop.
Phil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)
Sent: Monday, October 25, 2004 10:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Extranet's
Here are some sources to reference in your design process.
http://www.microsoft.com/technet/security/topics/identity/idmanage/P1Pla
t_4.mspx
Couple of points to Raise,
1. To support this infrastructure you will require DNS and
Additional Hardware. Make sure you provision accordingly.
2. You need to decide if there needs to be TRUST involved. Make
sure you plan for IPSEC to make the trust more secure.
3. You should monitor the extra-net for availability, and also
audit it heavily and use restrictive security policies to enforce
compliance.
4. If your goal is to give external users access to internal
application, you might investigate Terminal Services and user accounts with
more restrictive settings.
5. If you only need a LDAP for authentication, look into using ADAM
and third party SSO's. Less infrastructure requirements.
6. Remember to patch, patch, patch.
Good Luck
Todd
From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]
Sent: Monday, October 25, 2004 12:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Extranet's
yep, done it several times this way - at least for the users. Depending on
how your machines need to talk to the internal servers, you might not even
need to setup a trust. But if you don't get around it, you could still limit
it's reach using selective authentication.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, October 25, 2004 2:57 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Extranet's
We are looking at redesigning our extranet and are considering a separate
forest for the extranet users and eventually most of the resources needed
for the extranet will be put into that forest. My thinking is that since a
domain isn't a true security boundary and it really won't cost us more to
bring up a forest vs. domain why not go with a separate forest. The users in
the extranet forest won't necessarily need access to the internal systems
but some of the machines will need to talk to internal servers so I assume
at some point we will need a trust relationship. My question is simply what
am I missing and has anyone done similar setups?
Holland + Knight
Travis Abrams MCSE, GCIH
Systems Engineer
Holland & Knight LLP
NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"), and
is intended solely for the use of the individual(s) to whom it is addressed.
If you believe you received this e-mail in error, please notify the sender
immediately, delete the e-mail from your computer and do not copy or
disclose it to anyone else. If you are not an existing client of H&K, do
not construe anything in this e-mail to make you a client unless it contains
a specific statement to that effect and do not disclose anything to H&K in
reply that you expect it to hold in confidence. If you properly received
this e-mail as a client, co-counsel or retained expert of H&K, you should
maintain its contents in confidence in order to preserve the attorney-client
or work product privilege that may be available to protect c
RE: [ActiveDir] Extranet's
Good points, although for giving external users access to internal
resources I think Terminal Services is a bad idea if you are concerned
enough about security to be looking into a separate forest for your
Extranet. Citrix has much more flexibilty for giving access to internal
resources in a setup like this by using published applications and not a
published desktop. This allows you to lock the user down much better and
limit them to only being able to run the application and never getting
to see a desktop. Still not as secure as not having them login to your
internal forest, but better than TS that gives a user a full desktop.
Phil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CIT)
Sent: Monday, October 25, 2004 10:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Extranet's
Here are some sources to reference in your design process.
http://www.microsoft.com/technet/security/topics/identity/idmanage/P1Pla
t_4.mspx
Couple of points to Raise,
1. To support this infrastructure you will require DNS and
Additional Hardware. Make sure you provision accordingly.
2. You need to decide if there needs to be TRUST involved. Make
sure you plan for IPSEC to make the trust more secure.
3. You should monitor the extra-net for availability, and also
audit it heavily and use restrictive security policies to enforce
compliance.
4. If your goal is to give external users access to internal
application, you might investigate Terminal Services and user accounts
with more restrictive settings.
5. If you only need a LDAP for authentication, look into using ADAM
and third party SSO's. Less infrastructure requirements.
6. Remember to patch, patch, patch.
Good Luck
Todd
From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED]
Sent: Monday, October 25, 2004 12:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Extranet's
yep, done it several times this way - at least for the users. Depending
on how your machines need to talk to the internal servers, you might not
even need to setup a trust. But if you don't get around it, you could
still limit it's reach using selective authentication.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, October 25, 2004 2:57 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Extranet's
We are looking at redesigning our extranet and are considering a
separate forest for the extranet users and eventually most of the
resources needed for the extranet will be put into that forest. My
thinking is that since a domain isn't a true security boundary and it
really won't cost us more to bring up a forest vs. domain why not go
with a separate forest. The users in the extranet forest won't
necessarily need access to the internal systems but some of the machines
will need to talk to internal servers so I assume at some point we will
need a trust relationship. My question is simply what am I missing and
has anyone done similar setups?
Holland + Knight
Travis Abrams MCSE, GCIH
Systems Engineer
Holland & Knight LLP
NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"),
and is intended solely for the use of the individual(s) to whom it is
addressed. If you believe you received this e-mail in error, please
notify the sender immediately, delete the e-mail from your computer and
do not copy or disclose it to anyone else. If you are not an existing
client of H&K, do not construe anything in this e-mail to make you a
client unless it contains a specific statement to that effect and do not
disclose anything to H&K in reply that you expect it to hold in
confidence. If you properly received this e-mail as a client,
co-counsel or retained expert of H&K, you should maintain its contents
in confidence in order to preserve the attorney-client or work product
privilege that may be available to protect confidentiality.
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extranet's
Title: [ActiveDir] Trusting Domain SIDs
Here are some sources to reference in your
design process.
http://www.microsoft.com/technet/security/topics/identity/idmanage/P1Plat_4.mspx
Couple of points to Raise,
To support this infrastructure you
will require DNS and Additional Hardware. Make sure you provision
accordingly.
You need to decide if there
needs to be TRUST involved. Make sure you plan for IPSEC to make the
trust more secure.
You should monitor the
extra-net for availability, and also audit it heavily and use restrictive security
policies to enforce compliance.
If your goal is to give
external users access to internal application, you might investigate
Terminal Services and user accounts with more restrictive settings.
If you only need a LDAP for
authentication, look into using ADAM and third party SSO’s.
Less infrastructure requirements.
Remember to patch, patch,
patch.
Good Luck….
Todd
From: Grillenmeier,
Guido [mailto:[EMAIL PROTECTED]
Sent: Monday, October 25, 2004
12:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
Extranet's
yep, done it several times this way - at
least for the users. Depending on how your machines need to talk to the
internal servers, you might not even need to setup a trust. But if you don't
get around it, you could still limit it's reach using selective authentication.
/Guido
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, October 25, 2004
2:57 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Extranet's
We are looking at redesigning our extranet
and are considering a separate forest for the extranet users and eventually
most of the resources needed for the extranet will be put into that forest. My
thinking is that since a domain isn't a true security boundary and it
really won't cost us more to bring up a forest vs. domain why not go with a
separate forest. The users in the extranet forest won't necessarily need access
to the internal systems but some of the machines will need to talk to internal
servers so I assume at some point we will need a trust relationship. My
question is simply what am I missing and has anyone done similar setups?
Holland + Knight
Travis Abrams MCSE, GCIH
Systems Engineer
Holland & Knight LLP
NOTICE:
This e-mail is from a law firm, Holland
& Knight LLP ("H&K"), and is intended solely for the use of
the individual(s) to whom it is addressed. If you believe you received
this e-mail in error, please notify the sender immediately, delete the e-mail
from your computer and do not copy or disclose it to anyone else. If you
are not an existing client of H&K, do not construe anything in this e-mail
to make you a client unless it contains a specific statement to that effect and
do not disclose anything to H&K in reply that you expect it to hold in
confidence. If you properly received this e-mail as a client, co-counsel
or retained expert of H&K, you should maintain its contents in confidence
in order to preserve the attorney-client or work product privilege that may be
available to protect confidentiality.
RE: [ActiveDir] Extranet's
Title: [ActiveDir] Trusting Domain SIDs
yep, done it several times this way - at least for the
users. Depending on how your machines need to talk to the internal servers, you
might not even need to setup a trust. But if you don't get around it, you could
still limit it's reach using selective authentication.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Monday, October 25, 2004 2:57
AMTo: [EMAIL PROTECTED]Subject: [ActiveDir]
Extranet's
We are looking at redesigning our extranet and are
considering a separate forest for the extranet users and eventually most of the
resources needed for the extranet will be put into that forest. My thinking is
that since a domain isn't a true security boundary and it really won't cost
us more to bring up a forest vs. domain why not go with a separate forest. The
users in the extranet forest won't necessarily need access to the internal
systems but some of the machines will need to talk to internal servers so I
assume at some point we will need a trust relationship. My question is
simply what am I missing and has anyone done similar setups?
Holland + Knight Travis
Abrams MCSE, GCIH Systems
Engineer Holland & Knight
LLP
NOTICE: This e-mail is from a law firm, Holland &
Knight LLP ("H&K"), and is intended solely for the use of the individual(s)
to whom it is addressed. If you believe you received this e-mail in error,
please notify the sender immediately, delete the e-mail from your computer and
do not copy or disclose it to anyone else. If you are not an existing
client of H&K, do not construe anything in this e-mail to make you a client
unless it contains a specific statement to that effect and do not disclose
anything to H&K in reply that you expect it to hold in confidence. If
you properly received this e-mail as a client, co-counsel or retained expert of
H&K, you should maintain its contents in confidence in order to preserve the
attorney-client or work product privilege that may be available to protect
confidentiality.
