RE: [ActiveDir] Using Active Directory between a firewall
It might be an idea to give us a bit of a heads-up (relating to Roger's question) as to why - and more importantly, how your DMZ is set up. Do you just have the one DMZ, or do you have a Bastion host with a Public DMZ, then your internal network, or do you have a multi-layered DMZ (Public, Private, Internal). Or, is it a combination of any of the above with Private VLANs? The reason that I ask is that there are a myriad ways of doing what you're asking. I'm not going to get into the risk of any of the systems (though I do question IF they need to be there), but can provide guidance on who should be talking to whom - and when the wrong communication or directness of communication is occurring. Also, it would dictate (dependent on layering of your DMZ and perimeter networks) the placement of systems, as good and secure practice says that in a multi-layers DMZ a system or device cannot skip a layer to talk to a less secure device. IOW, a system from the Public DMZ cannot directly talk to a system in the Internal network. There must be an intervening device in the Private DMZ. This creates (along with some degree of complexity) an environment whereby an attacker must compromise multiple systems to succeed. For reference, we employ a three-tired DMZ with our external routers, PIX, and a firewall appliance creating a Public DMZ a Private DMZ and our internal network. We also use Private VLANs to control which servers or devices on the DMZs can talk to other systems on their respective subnets. Just because system A has an IP of 10.10.1.25/24 and system B has an IP of 10.10.1.26/24 does not mean that they can talk to each other. If they are not in the same VLAN, or a required rule is in place to allow a specific communication, they will not be able to talk. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Roger Seielstad > Sent: Friday, January 24, 2003 7:47 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Using Active Directory between a firewall > > > Can I ask why you're choosing to put your servers into the > DMZ? Other than ISA (maybe - and I'm not convinced even that > one), none of the other servers needs to be publicly exposed. > > -- > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -Original Message- > > From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] > > Sent: Friday, January 24, 2003 6:23 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Using Active Directory between a firewall > > > > > > Yes I can see the AD Server from within the DMZ and pinging the > > server gives me no problem at all > > > > -----Original Message----- > > From: Jochen Andries [mailto:[EMAIL PROTECTED]] > > Sent: Friday, January 24, 2003 10:45 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Using Active Directory between a firewall > > > > Do you see the AD-server from the server in the DMZ-zone ? > > (Ping-request, ...) > > > > -Original Message- > > From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] > > Sent: vrijdag 24 januari 2003 10:33 > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Using Active Directory between a firewall > > > > Hi guys, > > > > I have a little problem over here. I have an implementation of > > active directory where the servers sit on a subnet and all the > > client workstations sit in another subnet. > > > > For security reasons I want to move the servers into DMZ zone. I > > found out that when I move the servers into the DMZ zone they are > > not able to communicate with active directory. This is because the > > domain controller is within the proper network, but the servers that > > needs to be moved into the DMZ are servers like the exchange and ISA > > servers and these servers need to communicate with active directory > > to function properly. > > > > What ports do I need to open on the firewall in other for the > > machines in the DMZ to talk to active directory effectively. > > > > Thanks > > > > VIRUS SCANNED! > > Marina One > > > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Using Active Directory between a firewall
Can I ask why you're choosing to put your servers into the DMZ? Other than ISA (maybe - and I'm not convinced even that one), none of the other servers needs to be publicly exposed. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -Original Message- > From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 24, 2003 6:23 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Using Active Directory between a firewall > > > Yes I can see the AD Server from within the DMZ and pinging > the server gives me no problem at all > > -Original Message- > From: Jochen Andries [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 24, 2003 10:45 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Using Active Directory between a firewall > > Do you see the AD-server from the server in the DMZ-zone ? > (Ping-request, ...) > > -Original Message- > From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] > Sent: vrijdag 24 januari 2003 10:33 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Using Active Directory between a firewall > > Hi guys, > > I have a little problem over here. I have an implementation > of active directory where the servers sit on a subnet and all > the client workstations sit in another subnet. > > For security reasons I want to move the servers into DMZ > zone. I found out that when I move the servers into the DMZ > zone they are not able to communicate with active directory. > This is because the domain controller is within the proper > network, but the servers that needs to be moved into the DMZ > are servers like the exchange and ISA servers and these > servers need to communicate with active directory to function > properly. > > What ports do I need to open on the firewall in other for the > machines in the DMZ to talk to active directory effectively. > > Thanks > > VIRUS SCANNED! > Marina One > > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Using Active Directory between a firewall
A good white paper is "Using Microsoft Exchange 2000 Front-End Servers" by KC Lemson and Michelle Martin. Heres a link to the download http://download.microsoft.com/download/exchplatinumbeta/E2kFB/1.0/W98NT42KMeXP/EN-US/e2kfrontback.exe It's focus isnt quite what your looking for but it does cover how to configure a firewall between Exchange and Active Directory. Clyde Burns -Original Message-From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]]Sent: Friday, January 24, 2003 4:33 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Using Active Directory between a firewall Hi guys, I have a little problem over here. I have an implementation of active directory where the servers sit on a subnet and all the client workstations sit in another subnet. For security reasons I want to move the servers into DMZ zone. I found out that when I move the servers into the DMZ zone they are not able to communicate with active directory. This is because the domain controller is within the proper network, but the servers that needs to be moved into the DMZ are servers like the exchange and ISA servers and these servers need to communicate with active directory to function properly. What ports do I need to open on the firewall in other for the machines in the DMZ to talk to active directory effectively. ThanksVIRUS SCANNED! Marina One
RE: [ActiveDir] Using Active Directory between a firewall
Title: Message http://support.microsoft.com/default.aspx?scid=kb;en-us;Q280132&sd=tech http://groups.google.com/groups?selm=iPqW9.269619%24FT6.44975413%40news4.srv.hcvlny.cv.net&oe=UTF-8&output=gplain -Original Message-From: Jochen Andries [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 6:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Using Active Directory between a firewall Maybe a sollution in this article : http://www.microsoft.com/windows2000/docs/adsegmented.doc Jochen Andries -Original Message-From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: vrijdag 24 januari 2003 12:23To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Using Active Directory between a firewall Yes I can see the AD Server from within the DMZ and pinging the server gives me no problem at all -Original Message-From: Jochen Andries [mailto:[EMAIL PROTECTED]]Sent: Friday, January 24, 2003 10:45 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Using Active Directory between a firewall Do you see the AD-server from the server in the DMZ-zone ? (Ping-request, …) -Original Message-From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: vrijdag 24 januari 2003 10:33To: [EMAIL PROTECTED]Subject: [ActiveDir] Using Active Directory between a firewall Hi guys, I have a little problem over here. I have an implementation of active directory where the servers sit on a subnet and all the client workstations sit in another subnet. For security reasons I want to move the servers into DMZ zone. I found out that when I move the servers into the DMZ zone they are not able to communicate with active directory. This is because the domain controller is within the proper network, but the servers that needs to be moved into the DMZ are servers like the exchange and ISA servers and these servers need to communicate with active directory to function properly. What ports do I need to open on the firewall in other for the machines in the DMZ to talk to active directory effectively. ThanksVIRUS SCANNED! Marina One
Re: [ActiveDir] Using Active Directory between a firewall
There's some handy info in here, too. Relates to Replication, but there you go. Lots of useful port numbers. Non-obvious is that under certain circumstances, (if the client computers are not members of the domain and want to connect/authenticate with DCs for some reason), you *might* need to open port 139/tcp for them or the "domain controller location mechanism" to function. This seems to be unnecessary if the workstations are members of the domain. All the best, Andy http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp - Original Message - From: Jochen Andries To: [EMAIL PROTECTED] Sent: Friday, January 24, 2003 12:34 PM Subject: RE: [ActiveDir] Using Active Directory between a firewall Maybe a sollution in this article : http://www.microsoft.com/windows2000/docs/adsegmented.doc Jochen Andries -Original Message-From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: vrijdag 24 januari 2003 12:23To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Using Active Directory between a firewall Yes I can see the AD Server from within the DMZ and pinging the server gives me no problem at all -Original Message-From: Jochen Andries [mailto:[EMAIL PROTECTED]]Sent: Friday, January 24, 2003 10:45 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Using Active Directory between a firewall Do you see the AD-server from the server in the DMZ-zone ? (Ping-request, ) -Original Message-From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: vrijdag 24 januari 2003 10:33To: [EMAIL PROTECTED]Subject: [ActiveDir] Using Active Directory between a firewall Hi guys, I have a little problem over here. I have an implementation of active directory where the servers sit on a subnet and all the client workstations sit in another subnet. For security reasons I want to move the servers into DMZ zone. I found out that when I move the servers into the DMZ zone they are not able to communicate with active directory. This is because the domain controller is within the proper network, but the servers that needs to be moved into the DMZ are servers like the exchange and ISA servers and these servers need to communicate with active directory to function properly. What ports do I need to open on the firewall in other for the machines in the DMZ to talk to active directory effectively. ThanksVIRUS SCANNED! Marina One
RE: [ActiveDir] Using Active Directory between a firewall
Maybe a sollution in this article : http://www.microsoft.com/windows2000/docs/adsegmented.doc Jochen Andries -Original Message- From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: vrijdag 24 januari 2003 12:23 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Using Active Directory between a firewall Yes I can see the AD Server from within the DMZ and pinging the server gives me no problem at all -Original Message- From: Jochen Andries [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 10:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Using Active Directory between a firewall Do you see the AD-server from the server in the DMZ-zone ? (Ping-request, …) -Original Message- From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: vrijdag 24 januari 2003 10:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] Using Active Directory between a firewall Hi guys, I have a little problem over here. I have an implementation of active directory where the servers sit on a subnet and all the client workstations sit in another subnet. For security reasons I want to move the servers into DMZ zone. I found out that when I move the servers into the DMZ zone they are not able to communicate with active directory. This is because the domain controller is within the proper network, but the servers that needs to be moved into the DMZ are servers like the exchange and ISA servers and these servers need to communicate with active directory to function properly. What ports do I need to open on the firewall in other for the machines in the DMZ to talk to active directory effectively. Thanks VIRUS SCANNED! Marina One
RE: [ActiveDir] Using Active Directory between a firewall
Yes I can see the AD Server from within the DMZ and pinging the server gives me no problem at all -Original Message- From: Jochen Andries [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 10:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Using Active Directory between a firewall Do you see the AD-server from the server in the DMZ-zone ? (Ping-request, …) -Original Message- From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: vrijdag 24 januari 2003 10:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] Using Active Directory between a firewall Hi guys, I have a little problem over here. I have an implementation of active directory where the servers sit on a subnet and all the client workstations sit in another subnet. For security reasons I want to move the servers into DMZ zone. I found out that when I move the servers into the DMZ zone they are not able to communicate with active directory. This is because the domain controller is within the proper network, but the servers that needs to be moved into the DMZ are servers like the exchange and ISA servers and these servers need to communicate with active directory to function properly. What ports do I need to open on the firewall in other for the machines in the DMZ to talk to active directory effectively. Thanks VIRUS SCANNED! Marina One
RE: [ActiveDir] Using Active Directory between a firewall
Do you see the AD-server from the server in the DMZ-zone ? (Ping-request, …) -Original Message- From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] Sent: vrijdag 24 januari 2003 10:33 To: [EMAIL PROTECTED] Subject: [ActiveDir] Using Active Directory between a firewall Hi guys, I have a little problem over here. I have an implementation of active directory where the servers sit on a subnet and all the client workstations sit in another subnet. For security reasons I want to move the servers into DMZ zone. I found out that when I move the servers into the DMZ zone they are not able to communicate with active directory. This is because the domain controller is within the proper network, but the servers that needs to be moved into the DMZ are servers like the exchange and ISA servers and these servers need to communicate with active directory to function properly. What ports do I need to open on the firewall in other for the machines in the DMZ to talk to active directory effectively. Thanks VIRUS SCANNED! Marina One