Advertisement

04.01.2008 at 11:09AM PDT, ID: 23286694
[x]
Attachment Details

Looking for a step by step how to for using D LDS or AD FS in DMZ

Asked by 4mrhodes in Active Directory, Networking Hardware Firewalls, MS Internet Security & Accel

I use to have a DMZ but we opened so mony holes it didn't make since.  I am now in the process or going back to having a DMZ.  I welcome comments on the need for a DMZ (pro or con)

The new DMZ will be built on a single physical Windows 2008 Server with multiple VMs running in Hyper-V.
It will have Exchange Edge Transport (which uses AD LDS (the new ADAM) to communicate with the Hub Transport on LAN - but I don't know if this AD LDS will handle other application authentications (I don't really have a good grip on ADAM or AD LDS).  IIS 7, WSS v3, MOSS, and ColdFusion 8 - all of which will need authentication against current AD - my ColdFusion apps use a deprecated tag (cfntauthenication) that basically LDAPS the AD for user credentials over port 339 - I could open the port but wonder if AD FS or AD LDS was a more secure route) and a SQL 2005 server that supports the web applications.

So I am looking fo a good step-by-step deployment guide - or some detail (don't under estimate my ignorance) pointers on what to do - or possible a good argument for why a DMZ is not necessary.

DMZ is accessed off multi-port Astaro 220 firewall  - no ISA server

Start Free Trial
 
Keywords: Looking for a step by step how to for u…
Title
1 ISA 2006 ON DMZ
2 AD in DMZ
3 configure ISA server in the DMZ
4 isa ldap integration
5 Forwarding ports from DMZ to Internal …
6 Setup OWA in PIX DMZ
 
Loading Advertisement...
 
[+][-]04.02.2008 at 05:20AM PDT, ID: 21262200

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]04.02.2008 at 12:06PM PDT, ID: 21266299

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.03.2008 at 09:40AM PDT, ID: 21274383

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Active Directory, Networking Hardware Firewalls, MS Internet Security & Accel
Sign Up Now!
Solution Provided By: nfmartins
Participating Experts: 1
Solution Grade: B
 
 
 
Loading Advertisement...
Microsoft
  • Internet Protocols
  • Applications
  • Development
  • OS
  • Hardware
  • Windows Security
Apple
  • Operating Systems
  • Hardware
  • Programming
  • Networking
  • Software
Internet
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Spy / Ad Blockers
  • Web Browsers
  • New Net Users
  • Web Development
  • Chat / IM
  • Anti Spam
  • Web Servers
  • Anti-Virus
  • Email Clients
Gamers
  • Tips
  • Online / MMORPG
  • Puzzle
  • Emulators
  • Action / Adventure
  • Role Playing
  • Consoles
  • Game Programming
  • Strategy
  • Sports
  • Misc
  • Computer Games
Digital Living
  • Hardware
  • Automotive
  • New Net Users
  • New Users
  • Software
  • Digital Music
  • Gaming World
  • Home Security
  • Apple
  • Networking Hardware
Virus & Spyware
  • Vulnerabilities
  • IDS
  • Encryption
  • Anti-Virus
  • Operating Systems Security
  • Software Firewalls
  • WebApplications
  • Cell Phones
  • Operating Systems
  • Internet
  • Hardware Firewalls
Hardware
  • Displays / Monitors
  • Handhelds / PDAs
  • Components
  • Peripherals
  • Laptops/Notebooks
  • Servers
  • Misc
  • Apple
  • Embedded Hardware
  • Networking Hardware
  • Storage
  • Desktops
  • New Users
Software
  • System Utilities
  • Industry Specific
  • Network Management
  • Photos / Graphics
  • Page Layout
  • VMware
  • Misc
  • Web Development
  • OS
  • CYGWIN
  • Voice Recognition
  • Virtualization
  • Message Queue
  • Quality Assurance
  • Security
  • Firewalls
  • MultiMedia Applications
  • Development
  • Database
  • Office / Productivity
  • Business Management
  • OS/2 Apps
  • Server Software
  • Internet / Email
ITPro
  • OS
  • Storage
  • Encryption
  • Operating Systems Security
  • Apple Hardware
  • Laptops & Notebooks
  • Servers
  • Networking Hardware
  • Peripherals
  • Devices
  • Displays / Monitors
  • WebTrends / Stats
  • Search Engines
  • Firewalls
  • Web Computing
  • WebApplications
  • IDS
  • Vulnerabilities
  • Email Clients
  • File Sharing
  • Spy / Ad Blockers
  • Web Browsers
  • Web Servers
  • Networking
  • Anti-Virus
  • Consulting
  • Chat / IM
  • Anti Spam
Developer
  • Web Servers
  • Web Browsers
  • Game Programming
  • Dev Tools
  • Industry Specific
  • Office / Productivity
  • Database
  • CYGWIN
  • Web Development
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Programming
  • Content Management
  • Application Servers
  • Protocols
Storage
  • Removable Backup Media
  • Storage Technology
  • Servers
  • Grid
  • Remote Access
  • Backup / Restore
  • Misc
  • Hard Drives
OS
  • Miscellaneous
  • Security
  • Development
  • Linux
  • VMware
  • MainFrame OS
  • Unix
  • Apple
  • OS / 2
  • AS / 400
  • BeOS
  • Microsoft
  • VMS / OpenVMS
Database
  • Oracle
  • Miscellaneous
  • MySQL
  • Software
  • Sybase
  • Contact Management
  • PostgreSQL
  • Data Manipulation
  • Clarion
  • InterSystems Cache
  • Siebel
  • MUMPS
  • OLAP
  • SQLBase
  • SAS
  • GIS & GPS
  • 4GL
  • Berkeley DB
  • DB2
  • Informix
  • Interbase / Firebird
  • FoxPro
  • Reporting
  • LDAP
  • Filemaker Pro
  • MS SQL Server
  • dBase
  • MS Access
Security
  • Misc
  • Web Browsers
  • Software Firewalls
  • Operating Systems Security
  • File Sharing
  • Spy / Ad Blockers
  • Vulnerabilities
  • WebApplications
  • IDS
  • Anti-Virus
  • Encryption
  • Anti Spam
  • Email Clients
  • VPN
  • Chat / IM
Programming
  • Editors IDEs
  • Installation
  • Handhelds / PDAs
  • Multimedia Programming
  • System / Kernel
  • Automation
  • Algorithms
  • Game
  • Signal Processing
  • Project Management
  • Open Source
  • Database
  • Misc
  • Languages
  • Processor Platforms
  • Theory
Web Development
  • Scripting
  • Blogs
  • Web Servers
  • Software
  • Search Engines
  • Web Graphics
  • Web Services
  • Images
  • Internet Marketing
  • Images and Photos
  • Components
  • Document Imaging
  • Web Languages/Standards
  • Illustration
  • WebApplications
  • Fonts
  • WebTrends / Stats
  • Authoring
  • Digital Camera Software
  • Miscellaneous
Networking
  • Protocols
  • Apple Networking
  • Network Management
  • Message Queue
  • Application Servers
  • Content Management
  • File Servers
  • Email Servers
  • Misc
  • Java Editors & IDEs
  • Wireless
  • Networking Hardware
  • Backup / Restore
  • System Utilities
  • ISPs & Hosting
  • Web Servers
  • Storage Technology
  • Removable Backup Media
  • Servers
  • Web Computing
  • Broadband
  • Grid
  • OS / 2
  • Novell Netware
  • Unix Networking
  • Windows Networking
  • Security
  • Telecommunications
  • Operating Systems
  • Linux Networking
Other
  • Lounge
  • Business Travel
  • Community Support
  • New Net Users
  • Philosophy / Religion
  • Math / Science
  • Miscellaneous
  • URLs
  • Expert Lounge
  • Politics
  • Puzzles / Riddles
  • Automotive
Community Support
  • Suggestions
  • New to EE
  • New Topics
  • CleanUp
  • Announcements
  • General
  • Feedback
  • Input
  • EE Bugs
 
04.02.2008 at 05:20AM PDT, ID: 21262200
nfmartins:
Hi,
Here are some tips:
How To: Use ADAM for Roles in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998331.aspx

Application Integration with Windows Directory Services (You need to search in the link about this subject)
http://www.microsoft.com/technet/security/guidance/identitymanagement/idmanage/P3Intran_1.mspx?mfr=true

Edge Server on DMZ (You need to search about this subject in the  link)
http://technet.microsoft.com/en-us/library/aa996562(EXCHG.80).aspx

NM
 
04.02.2008 at 12:06PM PDT, ID: 21266299
4mrhodes:
Thank you nfmartins.  I read through the links (skim).  I have a big question I need to answer before i can move forward- one I keep coming back to - even though i now believe i have a very good grasp on how to implement the DMZ - and that is

Do I really need a DMZ?
I will have to read more, but the Application Integration with Windows Directory Services link you gave me further pushes me to getting away from the DMZ all together.  

Here are my thoughts - help me with the flaws.

Windows Server 2008 is much more secure than the NT Servers of 'Have to have DMZ' past.

Most of my applications will run in a VM on a 2008 server - with software firewalls (Windows) on that server - and a fairly decent hardware firewall (Astaro 220) between Public and Private.

If I got the 'jist' of Application Integration with Windows Directory Services i could also deploy this on the private network to further strengthen the control and security of what internal clients could access.

 I first looked at putting in the perimeter netwrok when I deployed Exchange 2007 - since Edge Transport requires (ok strongly suggests) a perimeter network - but Hub Transport can take on most of the roles of Edge Transport - and our firewall already handles the rest (SMTP, VIRUS, SPAM, ETC filtering)

Should I just keep things simple and avoid deploying a perimeter network - am I missing something on the security risk i will be facing?
 
04.03.2008 at 09:40AM PDT, ID: 21274383
nfmartins:
Hi,
Here´s my opinion About the DMZ subject.

First of All what is a DMZ?
DMZ is short for DeMilitarized Zone. In military jargon, a DMZ is an area of land that serves as a buffer between two enemies. The most well known DMZ in the world is the DMZ that protects South Korea from North Korea.In network security jargon, a DMZ is a network that serves as a buffer between a secure protected internal network and the insecure Internet.A DMZ usually contains servers which provide services to users from the Internet, such as web, ftp, email (SMTP, POP3 and IMAP4), and DNS servers. Although these servers must be open to limited access from the Internet, they should also be protected by a firewall.
The term Perimeter Network is also used to describe a DMZ.
My opinion.
For security  reasons everyone (IT SPEAKING), needs a DMZ. Why? Because you should not put in risk our beloved internal network with external services. For example if someone that as nothing better to do then to attack a Internet Site, should not be able to damage the internal network.

But let´s face it, 90% of the company´s uses the DMZ to put OWA, HTTPS/RPC,ACTIVESYNC and the mail relay server (Exchange 2007 Speaking Edge Server). So what is the real benefit?

OWA  If use 443 https, secure connections (Attack probability of success 3 to 4%)
HTTPS/RPC  You use the same door as OWA 443 (Attack Probability 3 to 4%)
ActiveSync  If use Certificates to validate (Attack Probability 2 to 3%)
Relay Server  This one is different here you can have a lot of problems (Virus, Hacks etc. etc. etc.), 90% of the attacks made to this server the result is Server Down .

So my opinion for your situation for the moment is : keep it simple and working, when you have everything working as you want then try to implement this solution on the DMZ.
I think no one can advise you to give up on a DMZ, the simple fact of separate our internal network with our Public Network in term of loads should be enough to do it.
The security measures are the most important of all things. But the security that isa can provide by using secure nat, SSL tunnels from the isa to the target machine should be enough for you to start up with Security .

Accepted Solution
 
 
20080716-EE-VQP-32 / EE_QW_2_20070628