RE: [ActiveDir] IIS behind firewall
Actually, there are a lot of secure ways to do this - none of them, however, involve putting IIS outside your firewall. There's no reason that it can't be behind the firewall, with just ports 443 and 80 open from the outside world. The flip side to that is putting it outside your firewall, you need all the NT or AD authentication ports open, plus you have to do a lot of hacking your Exchange servers to set static ports for the services (by default they are dynamicly assigned ports). We happen to use a proxy server in our DMZ that functions as both a reverse proxy (many clients to one server) and an SSL accelerator, with the OWA server inside the firewall, and limited to just the proxy box for connections. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Garello, Kenneth [mailto:KGarello;worcester.edu] Sent: Wednesday, November 06, 2002 2:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] IIS behind firewall Rick, Thank you very much for your thoughts. My task at hand is to provide Outlook Web Access to our internal mail system. From your discussion, I take it that there really is no secure way to do this. Are there options that I am not aware of? Ken -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Wednesday, November 06, 2002 11:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS behind firewall Documents of interest: http://www.nsa.gov/snac/win2k/index.html (look for the guide on IIS, but IIS hardening is worthless unless the base OS is hardened as well) http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/secur ity/prodtech/windows/windows2000/staysecure/default.asp (get the templates!) http://www.sans.org (their guides are not free, but are quite worth the money) I'd also look at various places like @Stake, Church of the Swimming Elephant (COTSE), NTBugTraq for some EXCELLENT information from folks that do this daily. Now, that the documents are cleared up, let's discuss IIS - AD authentication across the DMZ. First - your IIS servers should be on the outside. At the very least, they should be in a hard DMZ (behind a bastion or the first firewall, but in front of a soft DMZ) This is an untrusted zone. It's considered untrusted because the Internet data is not 'clean' or secure. Putting things out here is, in effect, putting systems that must be accessed by the public in harm's way. There really is no other way. We need to allow users to access them - but we can't lock them down as much as we'd like. The separation that is intrinsic with trusted and untrusted (your IIS Server in the hard DMZ is in the Internet zone) allows for the IIS server to access data in the untrusted DMZ. In no way should the IIS server in the Internet zone be allowed to access anything in the trusted zone. What this means is that it is not really considered a 'safe practice' to allow IIS (or, any system directly) to authenticate to internal DCs. This is the reason for RADIUS - the authentication request comes from a trusted third party system (at least as far as your network is concerned - the RADIUS server is still on your network, but the number of ports open and the compromise risk are both low). Microsoft authentication requires a slew of ports to be open. Steve Riley of Microsoft has a good article: http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec _p63623.as p on how to do replication and authentication over and across firewalls, but it is still considered a risky practice. It is typically not considered a 'good thing' to allow outside entities or untrusted systems to access trusted systems. In this case, the IIS server is untrusted because it is designed for direct access by outside entities that you have no control over. In many ways, you EXPECT it to be compromised - hence you cannot trust it. On the other hand, you need to be able to trust that a DC is not compromised and that it is who it says it is and that the network is secure. This would be a trusted system - you trust the data, the authentication, the server. The only way that I would do any type of authentication across a DMZ is to have a forest or an AD authentication mechanism (an AD proxy, if you will)in the DMZ (not trusted) with IPSec channels to a trusted DC or set of DCs that would actually validate the request. Right now, it's a bit messy. But, be looking for a couple of things from MS and third parties (Aelita, Cisco) to pony up, too. I know that Cisco has ACS, but I'm not quite as up on that as I should be to know if it would help in this scenario. Hope this helps Any questions, please ask! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert
RE: [ActiveDir] IIS behind firewall
Thanks for everyone's input. I've got a lot of planning to do! Ken -Original Message- From: Roger Seielstad [mailto:roger.seielstad;inovis.com] Sent: Thursday, November 07, 2002 7:52 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] IIS behind firewall Actually, there are a lot of secure ways to do this - none of them, however, involve putting IIS outside your firewall. There's no reason that it can't be behind the firewall, with just ports 443 and 80 open from the outside world. The flip side to that is putting it outside your firewall, you need all the NT or AD authentication ports open, plus you have to do a lot of hacking your Exchange servers to set static ports for the services (by default they are dynamicly assigned ports). We happen to use a proxy server in our DMZ that functions as both a reverse proxy (many clients to one server) and an SSL accelerator, with the OWA server inside the firewall, and limited to just the proxy box for connections. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Garello, Kenneth [mailto:KGarello;worcester.edu] Sent: Wednesday, November 06, 2002 2:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] IIS behind firewall Rick, Thank you very much for your thoughts. My task at hand is to provide Outlook Web Access to our internal mail system. From your discussion, I take it that there really is no secure way to do this. Are there options that I am not aware of? Ken -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Wednesday, November 06, 2002 11:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS behind firewall Documents of interest: http://www.nsa.gov/snac/win2k/index.html (look for the guide on IIS, but IIS hardening is worthless unless the base OS is hardened as well) http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/secur ity/prodtech/windows/windows2000/staysecure/default.asp (get the templates!) http://www.sans.org (their guides are not free, but are quite worth the money) I'd also look at various places like @Stake, Church of the Swimming Elephant (COTSE), NTBugTraq for some EXCELLENT information from folks that do this daily. Now, that the documents are cleared up, let's discuss IIS - AD authentication across the DMZ. First - your IIS servers should be on the outside. At the very least, they should be in a hard DMZ (behind a bastion or the first firewall, but in front of a soft DMZ) This is an untrusted zone. It's considered untrusted because the Internet data is not 'clean' or secure. Putting things out here is, in effect, putting systems that must be accessed by the public in harm's way. There really is no other way. We need to allow users to access them - but we can't lock them down as much as we'd like. The separation that is intrinsic with trusted and untrusted (your IIS Server in the hard DMZ is in the Internet zone) allows for the IIS server to access data in the untrusted DMZ. In no way should the IIS server in the Internet zone be allowed to access anything in the trusted zone. What this means is that it is not really considered a 'safe practice' to allow IIS (or, any system directly) to authenticate to internal DCs. This is the reason for RADIUS - the authentication request comes from a trusted third party system (at least as far as your network is concerned - the RADIUS server is still on your network, but the number of ports open and the compromise risk are both low). Microsoft authentication requires a slew of ports to be open. Steve Riley of Microsoft has a good article: http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec _p63623.as p on how to do replication and authentication over and across firewalls, but it is still considered a risky practice. It is typically not considered a 'good thing' to allow outside entities or untrusted systems to access trusted systems. In this case, the IIS server is untrusted because it is designed for direct access by outside entities that you have no control over. In many ways, you EXPECT it to be compromised - hence you cannot trust it. On the other hand, you need to be able to trust that a DC is not compromised and that it is who it says it is and that the network is secure. This would be a trusted system - you trust the data, the authentication, the server. The only way that I would do any type of authentication across a DMZ is to have a forest or an AD authentication mechanism (an AD proxy, if you will)in the DMZ (not trusted) with IPSec channels to a trusted DC or set of DCs that would actually validate the request. Right now, it's a bit messy. But, be looking for a couple of things from MS and third parties (Aelita, Cisco) to pony up, too
RE: [ActiveDir] IIS behind firewall
Documents of interest: http://www.nsa.gov/snac/win2k/index.html (look for the guide on IIS, but IIS hardening is worthless unless the base OS is hardened as well) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/prodtech/windows/windows2000/staysecure/default.asp (get the templates!) http://www.sans.org (their guides are not free, but are quite worth the money) I'd also look at various places like @Stake, Church of the Swimming Elephant (COTSE), NTBugTraq for some EXCELLENT information from folks that do this daily. Now, that the documents are cleared up, let's discuss IIS - AD authentication across the DMZ. First - your IIS servers should be on the outside. At the very least, they should be in a hard DMZ (behind a bastion or the first firewall, but in front of a soft DMZ) This is an untrusted zone. It's considered untrusted because the Internet data is not 'clean' or secure. Putting things out here is, in effect, putting systems that must be accessed by the public in harm's way. There really is no other way. We need to allow users to access them - but we can't lock them down as much as we'd like. The separation that is intrinsic with trusted and untrusted (your IIS Server in the hard DMZ is in the Internet zone) allows for the IIS server to access data in the untrusted DMZ. In no way should the IIS server in the Internet zone be allowed to access anything in the trusted zone. What this means is that it is not really considered a 'safe practice' to allow IIS (or, any system directly) to authenticate to internal DCs. This is the reason for RADIUS - the authentication request comes from a trusted third party system (at least as far as your network is concerned - the RADIUS server is still on your network, but the number of ports open and the compromise risk are both low). Microsoft authentication requires a slew of ports to be open. Steve Riley of Microsoft has a good article: http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec_p63623.as p on how to do replication and authentication over and across firewalls, but it is still considered a risky practice. It is typically not considered a 'good thing' to allow outside entities or untrusted systems to access trusted systems. In this case, the IIS server is untrusted because it is designed for direct access by outside entities that you have no control over. In many ways, you EXPECT it to be compromised - hence you cannot trust it. On the other hand, you need to be able to trust that a DC is not compromised and that it is who it says it is and that the network is secure. This would be a trusted system - you trust the data, the authentication, the server. The only way that I would do any type of authentication across a DMZ is to have a forest or an AD authentication mechanism (an AD proxy, if you will)in the DMZ (not trusted) with IPSec channels to a trusted DC or set of DCs that would actually validate the request. Right now, it's a bit messy. But, be looking for a couple of things from MS and third parties (Aelita, Cisco) to pony up, too. I know that Cisco has ACS, but I'm not quite as up on that as I should be to know if it would help in this scenario. Hope this helps Any questions, please ask! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Garello, Kenneth Sent: Tuesday, November 05, 2002 9:22 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] IIS behind firewall Can you point to specific documents that you consider helpful? I'm especially interested in the last sentence (trusted to untrusted zones and AD). How can I provide IIS - AD authentication across the DMZ and feel that I have followed best security practices for that situation. Any info pointers would be appreciated. Ken -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Tuesday, November 05, 2002 9:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS behind firewall By implementing one or more firewalls with either a screened subnet from one firewall or a DMZ implemented between two firewalls using stateful inspection, packet filtering and web/server publishing. Anything less is asking for a major intrusion and compromise. NAT is not even close to 'good enough' in this type of scenario. Also - the IIS server(s) MUST be on the screened subnet or the DMZ - never on the internal networkif they are going to be accessed by untrusted systems. It would also be highly suggested to review Microsoft/SANS/NSA guidelines for secure operations in this type of environment. All three put out substantial and important documents detailing the lockdown procedures for Windows systems and secure communications from trusted to untrusted zones. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active
RE: [ActiveDir] IIS behind firewall
Microsoft recommends using ISA server in the DMZ to proxy the HTTP to the IIS/OWA server. -Original Message- From: Garello, Kenneth [mailto:KGarello;worcester.edu] Sent: Wednesday, November 06, 2002 2:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] IIS behind firewall Rick, Thank you very much for your thoughts. My task at hand is to provide Outlook Web Access to our internal mail system. From your discussion, I take it that there really is no secure way to do this. Are there options that I am not aware of? Ken -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Wednesday, November 06, 2002 11:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS behind firewall Documents of interest: http://www.nsa.gov/snac/win2k/index.html (look for the guide on IIS, but IIS hardening is worthless unless the base OS is hardened as well) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/prodtech/windows/windows2000/staysecure/default.asp (get the templates!) http://www.sans.org (their guides are not free, but are quite worth the money) I'd also look at various places like @Stake, Church of the Swimming Elephant (COTSE), NTBugTraq for some EXCELLENT information from folks that do this daily. Now, that the documents are cleared up, let's discuss IIS - AD authentication across the DMZ. First - your IIS servers should be on the outside. At the very least, they should be in a hard DMZ (behind a bastion or the first firewall, but in front of a soft DMZ) This is an untrusted zone. It's considered untrusted because the Internet data is not 'clean' or secure. Putting things out here is, in effect, putting systems that must be accessed by the public in harm's way. There really is no other way. We need to allow users to access them - but we can't lock them down as much as we'd like. The separation that is intrinsic with trusted and untrusted (your IIS Server in the hard DMZ is in the Internet zone) allows for the IIS server to access data in the untrusted DMZ. In no way should the IIS server in the Internet zone be allowed to access anything in the trusted zone. What this means is that it is not really considered a 'safe practice' to allow IIS (or, any system directly) to authenticate to internal DCs. This is the reason for RADIUS - the authentication request comes from a trusted third party system (at least as far as your network is concerned - the RADIUS server is still on your network, but the number of ports open and the compromise risk are both low). Microsoft authentication requires a slew of ports to be open. Steve Riley of Microsoft has a good article: http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec_p63623.as p on how to do replication and authentication over and across firewalls, but it is still considered a risky practice. It is typically not considered a 'good thing' to allow outside entities or untrusted systems to access trusted systems. In this case, the IIS server is untrusted because it is designed for direct access by outside entities that you have no control over. In many ways, you EXPECT it to be compromised - hence you cannot trust it. On the other hand, you need to be able to trust that a DC is not compromised and that it is who it says it is and that the network is secure. This would be a trusted system - you trust the data, the authentication, the server. The only way that I would do any type of authentication across a DMZ is to have a forest or an AD authentication mechanism (an AD proxy, if you will)in the DMZ (not trusted) with IPSec channels to a trusted DC or set of DCs that would actually validate the request. Right now, it's a bit messy. But, be looking for a couple of things from MS and third parties (Aelita, Cisco) to pony up, too. I know that Cisco has ACS, but I'm not quite as up on that as I should be to know if it would help in this scenario. Hope this helps Any questions, please ask! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Garello, Kenneth Sent: Tuesday, November 05, 2002 9:22 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] IIS behind firewall Can you point to specific documents that you consider helpful? I'm especially interested in the last sentence (trusted to untrusted zones and AD). How can I provide IIS - AD authentication across the DMZ and feel that I have followed best security practices for that situation. Any info pointers would be appreciated. Ken -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Tuesday, November 05, 2002 9:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS behind firewall By implementing one or more firewalls with either a screened subnet from one firewall or a DMZ implemented
RE: [ActiveDir] IIS behind firewall
Ken, OWA is a tough one - but it's not as bad as an IIS server. Primarily, most of IIS is shut off. OWA acts as a HTTP/HTTPS protocol front end to your back end message stores on the Exchange servers. Microsoft recommends having them on the internal network to alleviate all of the ports that you have to open to satisfy Exchange and the DCs that it must get information from (just to name a few - 3268 - Global Catalog, 389 - LDAP, 445 - CIFS). Effectively, putting the OWA server at your Hard DMZ would turn your firewall into swiss cheese (or, as some like to put it - firelogs). There are just too many vulnerable holes. Front end them in the internal network - and build a proxy in the DMZ to front end them. This will aid in hiding the OWA server(s) and provide added security. Our secure site is comprised of a PIX at the external perimeter, a Nokia appliance box with CP-1 on a stripped BSD kernel. We have also implemented Content Switches (CSS) from Cisco as well as SSL off-loading. The only way to access our OWA is via SSL - from theoff-loader in the DMZ it is HTTP traffic to the OWA front ends, and able to communicate with GC and DC freely from there. It's not that it can't be done, it just takes a lot of work. Find the Exchange Security Operations Guide on the MS site as well. Well worth the read... Hope this helps Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner;mail.activedir.org] On Behalf Of Garello, Kenneth Sent: Wednesday, November 06, 2002 1:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] IIS behind firewall Rick, Thank you very much for your thoughts. My task at hand is to provide Outlook Web Access to our internal mail system. From your discussion, I take it that there really is no secure way to do this. Are there options that I am not aware of? Ken -Original Message- From: Rick Kingslan [mailto:rkingsla;cox.net] Sent: Wednesday, November 06, 2002 11:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS behind firewall Documents of interest: http://www.nsa.gov/snac/win2k/index.html (look for the guide on IIS, but IIS hardening is worthless unless the base OS is hardened as well) http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/secur ity/prodtech/windows/windows2000/staysecure/default.asp (get the templates!) http://www.sans.org (their guides are not free, but are quite worth the money) I'd also look at various places like @Stake, Church of the Swimming Elephant (COTSE), NTBugTraq for some EXCELLENT information from folks that do this daily. Now, that the documents are cleared up, let's discuss IIS - AD authentication across the DMZ. First - your IIS servers should be on the outside. At the very least, they should be in a hard DMZ (behind a bastion or the first firewall, but in front of a soft DMZ) This is an untrusted zone. It's considered untrusted because the Internet data is not 'clean' or secure. Putting things out here is, in effect, putting systems that must be accessed by the public in harm's way. There really is no other way. We need to allow users to access them - but we can't lock them down as much as we'd like. The separation that is intrinsic with trusted and untrusted (your IIS Server in the hard DMZ is in the Internet zone) allows for the IIS server to access data in the untrusted DMZ. In no way should the IIS server in the Internet zone be allowed to access anything in the trusted zone. What this means is that it is not really considered a 'safe practice' to allow IIS (or, any system directly) to authenticate to internal DCs. This is the reason for RADIUS - the authentication request comes from a trusted third party system (at least as far as your network is concerned - the RADIUS server is still on your network, but the number of ports open and the compromise risk are both low). Microsoft authentication requires a slew of ports to be open. Steve Riley of Microsoft has a good article: http://www.microsoft.com/SERVICEPROVIDERS/columns/config_ipsec _p63623.as p on how to do replication and authentication over and across firewalls, but it is still considered a risky practice. It is typically not considered a 'good thing' to allow outside entities or untrusted systems to access trusted systems. In this case, the IIS server is untrusted because it is designed for direct access by outside entities that you have no control over. In many ways, you EXPECT it to be compromised - hence you cannot trust it. On the other hand, you need to be able to trust that a DC is not compromised and that it is who it says it is and that the network is secure. This would be a trusted system - you trust the data, the authentication
RE: [ActiveDir] IIS behind firewall
You need to create a static NAT for the IIS server and open the appropriate ports through the firewall. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Mr Teo [mailto:teocs01;yahoo.com.sg] Sent: Tuesday, November 05, 2002 4:26 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] IIS behind firewall Hi all i am setting up a network under active directory. then my company is using class c private adress. however the company also have a nat whoch hide the network from the public. so how do i allow for e.g. all my staffs to host their IIS by using the firewall? __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ http://www.2wds5z13tk91wk.MailTracking.com/tag.asp/2wds5z13tk 91wlhttp/hotjobs.yahoo.com/ http://www.2wds5z13tk91w8.MailTracking.com/nocache.pl/2wds5z13tk91w9/footer 0.gif List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] IIS behind firewall
Title: Message By implementing one or more firewalls with either a screened subnet from one firewall or a DMZ implemented between two firewalls using stateful inspection, packet filtering and web/server publishing. Anything less is asking for a major intrusion and compromise. NAT is not even close to 'good enough' in this type of scenario. Also - the IIS server(s) MUST be on the screened subnet or the DMZ - never on the internal networkif they are going to be accessed by untrusted systems. It would also be highly suggested to review Microsoft/SANS/NSA guidelines for secure operations in this type of environment. All three put out substantial and important documents detailing the lockdown procedures for Windows systems and secure communications from trusted to untrusted zones. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mr TeoSent: Tuesday, November 05, 2002 3:26 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] IIS behind firewall Hi all i am setting up a network under active directory. then my company is using class c private adress. however the company also have a nat whoch hide the network from the public. so how do i allow for e.g. all my staffs to host their IIS by using the firewall? __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/
RE: [ActiveDir] IIS behind firewall
Title: Message Can you point to specific documents that you consider helpful? I'm especially interested in the last sentence (trusted to untrusted zones and AD). How can I provide IIS - AD authentication across the DMZ and feel that I have followed best security practices for that situation. Any info pointers would be appreciated. Ken -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 05, 2002 9:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS behind firewall By implementing one or more firewalls with either a screened subnet from one firewall or a DMZ implemented between two firewalls using stateful inspection, packet filtering and web/server publishing. Anything less is asking for a major intrusion and compromise. NAT is not even close to 'good enough' in this type of scenario. Also - the IIS server(s) MUST be on the screened subnet or the DMZ - never on the internal networkif they are going to be accessed by untrusted systems. It would also be highly suggested to review Microsoft/SANS/NSA guidelines for secure operations in this type of environment. All three put out substantial and important documents detailing the lockdown procedures for Windows systems and secure communications from trusted to untrusted zones. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mr Teo Sent: Tuesday, November 05, 2002 3:26 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] IIS behind firewall Hi all i am setting up a network under active directory. then my company is using class c private adress. however the company also have a nat whoch hide the network from the public. so how do i allow for e.g. all my staffs to host their IIS by using the firewall? __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/