We help IT Professionals succeed at work.

AD in DMZ

1,167 Views
Last Modified: 2009-12-16
Hi,

A new problem has come up that needs solving.

We have a domain that sits behind ISA then some connects to a PIX.  There are several other servers that are connected to the PIX that form our DMZ.  We now want to put Sharepoint on of these servers.  So that we can use Windows Authentication the server it is on needs to be a member of the internal domain. (We have looked using Form Authentication but is reduces functionality).  Does anyone know the problems with extending the domain into the DMZ?  It strikes me that it is a way of getting a trust into the domain from outside ISA.  Should I set up a seperate forest in the DMZ and if so how do I go about doing this?

Thank you.
Comment
Watch Question

Commented:
Being in the Security group I would lean towards your later option." Should I set up a seperate forest in the DMZ and if so how do I go about doing this?"

For another forest you will need
1) At least one machine to be the Domain Controller.
2) DNS server
3) DNS name for the domain

As for extending your domain to the DMZ... it is a big security risk, but some people do it... You accomplish one of two ways
1) Setup VPN between your servers and the DC's (this is not always good because you have unreadable traffic going through your Firewall... we (firewall admins) dont like that.
2) Open the following ports inbound to the DC's
389/636 = LDAP/LDAP_SSL
445 = SMB
135 = RPC Mapper
88 = Kerberos
53 = DNS
3268 = GC
3269 = GC SSL

Here is article
http://support.microsoft.com/kb/179442

Author

Commented:
Hi BSonPosh,

Thanks for your quick reply.

I have been reading up on this more and you are right, extending the domain into the DMZ does sound like a bad.

So does this sound like a plan?:

On server in DMZ use DCpromo to bring it up in its own forest, (then add an old computer as a second DC in the new forest for redundancy  maybe). Then set up a one-way trust in which the DMZ domain trusts the internal domain, but not the other way around. Finally, use Microsoft's Active Directory Migration Tool (ADMT) to move all the user accounts from the internal forest to the new DMZ forest; because the SIDs wouldn't change, the rights that those accounts used to have in the old configuration would remain in the new forest. Then open the ports you suggested on the firewall.

This does raise one more issue though.  When the users log into Sharepoint which domain do they use? For example:

Username: mydomain\user
or
Username: myDMZdomain\user

Cheers
Tom

Commented:
I dont believe that would work and it isnt really that much better because for the trust to work you still have to open the same ports more even, because you need them both ways.

What about a reverse proxy? if it is only for sharepoint you can keep the sharepoint behind the firewalls and use a reverse proxy to get the web traffic in?

Check this out
http://www.microsoft.com/technet/windowsserver/sharepoint/v2/revproxy.mspx

Author

Commented:
We did have sharepoint in the domain behind the firewalls but unfortuatly it has been decided that it should be moved out onto an internet facing server. Probably just to make my life difficult!

I thought you said a new forest in the DMZ would work, or were you talking about one that didn't have any trusts going back to the internal domain?

The weird thing is I tried adding the MDZ server to the domain earlier, just to see if it would work, and it did.  I hadn't changed any of the settings on ISA first.

Commented:
Curious why they decided to move it.

You were correct I was talking a totaly isolated Domain.

You may be lucky and port already be open. I would suggest using portqry to test the ports and see what you have.

Does the Sharepoint have all the files stored locally or does it need to get them?

Author

Commented:
Apparently it needed rebuilding anyway and as it's webfacing and runs code I think they see it as another source of entry.

If I did set up an isolated domain then every user would need a second logon and password I guess, unless there is a way of coping them without a trust.

The sharepoint uses SQL server which I think is going to be moved outside as well.  Otherwise there would still be a route back in.

I'mnot going to be contactable for the next couple of days as I'll be on a dive boat (can't wait)  but will pick up this probelm when I get back.  Thanks for your help so far.
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks BSonPosh,

Will see what I can do about keeping it inside otherwise will try DC in the DMZ.

Cheers

Tom
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.