[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Protecting the Windows domain from outside intruders

Posted on 2006-11-07
11
Medium Priority
?
197 Views
Last Modified: 2010-08-05
Hi,

Suppose I have a domain called XXXX.com

This domain has many things running on it such as:
- Domain controller (we'll call the server "Domain")
- Microsoft Exchange Server (we'll call the server "Exchange")
- Intranet Application (we'll call the server "Intranet")

Obviously, the Intranet application has to be accessible to the outside net. Though, I need to secure the Domain and Exchange servers from outside access. That is, I would like to be able to remote desktop into these servers from anywhere but without someone outside of my organization to remote into it. I don't even want outsiders to have the possibility to get to the log in screen.

Note that all these servers are behind a firewall.

Can someone please give me a robust solution for this problem?
0
Comment
Question by:alateos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 7

Expert Comment

by:MessHallMan
ID: 17890304
It sounds like you will need a VPN solution on your network.  There are many different available such as Juniper, Checkpoint Connectra, Cisco Client or Clientless, Nokia.  I personal ike the Checkpoint Connectra option.
0
 
LVL 2

Expert Comment

by:sscuser
ID: 17890542
The best solution...IMO

Create a translation in your firewall allowing connection to your INTRANET server, be sure to restrict your connection via the specific port the app needs.  You don't need to open any other ports on the firewall which would subject your other servers to outside connections.

Also, hopefully your app requires a secondary login for an added layer of security.

0
 

Author Comment

by:alateos
ID: 17890632
sscuser how can I achieve a secondary login?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 32

Accepted Solution

by:
rsivanandan earned 750 total points
ID: 17890839
One of the best things out there now is SSL gateways's. For example an ssl gateway along with RSA authentication makes the authentication double.

1. First user from internet connect to the ssl gateway.
2. Authenticates to SSL using his userid and RSA token-id which is randomly generated.
3. Then he is admitted to the network.
4. From there if he wants to access an internal machine, he needs to input his Domain Username/Password to access it.

Juniper has a good solution for it and are the leaders now. #1 in the market.

Also you didn't mention what kind of firewall you have.

Cheers,
Rajesh
0
 

Author Comment

by:alateos
ID: 17890940
i have a sonicwall firewall. Where would I install this SSL gateway, between the firewall and the net? Also, is this SSL gateway a combination of hardware and software?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17891036
You can place it after or behind the firewall.

SSL gateway (it is actually a SSL VPN solution, clientless) from Juniper is hardware and software combination? yes.

Checkout at www.juniper.net

Cheers,
Rajesh
0
 

Author Comment

by:alateos
ID: 17891913
I just went through the Juniper demo... looks like a great solution. I didn't understand one thing though. When the users connect, what kind of client interface do they use? For my other clients, I have used the cisco vpn client application. So I'm just wondering what they would need to use in this case.
0
 
LVL 3

Expert Comment

by:maharlika
ID: 17893655
You can use sonicwall global vpn client.  Once authenticated by sonicwall, they can use remote desktop or whatever other apps you have approved for them, and given them user name and password from Active Directory, to access the computers on the network.
0
 

Author Comment

by:alateos
ID: 17893670
i c maharlika.. so i just enable the vpn capability on the sonicwall firewall? Do I need to install additional software on the client side such as cisco's vpn client?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17894959
For the juniper SSL VPN, you connect to your network using any standard browser (that is why it is an ssl vpn solution)

Cheers,
Rajesh
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17894980
Typically, most network setups are as follows.
Internet->firewall->router->switches->servers/users
The firewall typically allows only certain ports in to certain host's, like ports for your email servers and webservers. Almost always, every host behind the firewall is allowed out to the internet unrestricted, as they are the more trustworthy devices, their yours inside your network. So your intranet server will likely have no problems getting out to the Internet/web. No one will be able to go from the outside(web) to the inside(lan) to reach your intranet server, unless you allow them to in the firewall.
You can use the Cisco VPN client to access a VPN endpoint on a router, firewall or vpn dedicated device aka a vpn concentrator or vpn server.
Depending on your firewall, it may have the VPN ability currently, SonicWall also has their own client, and many others such as cisco's can connect to it
http://www.sonicwall.com/products/vpnapp.html
http://www.sonicwall.com/applications/vpn.html

There are free VPN servers available also on the Linux platform, and other *nix OS's, but the commercial vendors like juniper, cisco, sonicwall, netgear, linksys, 3com, symantec, and more... are a bit easier and take less training for all involved.
-rich
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question