nstd-sts
asked on
Active Directory authentication through a firewall.
We're kicking around the idea of setting up an active directory in a dmz that's protected from the internet and let some systems in another dmz (not protected from the internet) authenticate against it. Opening up ports between the dmz's isn't really an option as far as I've seen because it appears you have to open everything over 1025 which I know my fw admins won't do (and I'd never ask them).
Is it possible to have them tunnel through the firewall for authentication/group policy/updates but have all other traffic go straight out to the internet?
Is it possible to have them tunnel through the firewall for authentication/group policy/updates but have all other traffic go straight out to the internet?
> "Is it possible to have them tunnel through the firewall for authentication/group policy/updates but have all other traffic go straight out to the internet?"
This is referred to as "split-tunnelling", and your firewall admins may hate that just as much as anything else.
If this is only for auth for web-based applications, take a look at Active Directory Federated Services (ADFS) - conceptually it's like a trust relationship without opening up all of those pesky high-numbered ports. ADFS won't help you for workstation auth, though, in that case site-to-site VPN is your best bet.
This is referred to as "split-tunnelling", and your firewall admins may hate that just as much as anything else.
If this is only for auth for web-based applications, take a look at Active Directory Federated Services (ADFS) - conceptually it's like a trust relationship without opening up all of those pesky high-numbered ports. ADFS won't help you for workstation auth, though, in that case site-to-site VPN is your best bet.
ASKER
So we have systems in the unprotected dmz (and by unprotected I mean certain ports are naked to the internet but not all) that push or pull mountains of data from remote sites. This is about five racks of 2k/2k3 servers connected to a few terabytes of storage. Currently we're using local authentication on each box and administration is getting out of hand. Too many developers with admin rights where they don't necessarily need it, too many boxes missing updates. We'd like to put these boxes into a domain and centralize the administration.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ah, I see, we'd be effectively negating the firewall between the two dmz's if one of the unprotected systems got owned.
Bingo. Never underestimate what a hacker can do if given a trusted connection between machineA and machineB. Most compromises of Active Directory don't start at the domain controller, they start at some crummy little workstation that somebody forgot to patch.
ASKER
Thanks. This should be fun.
Our FW/network admins are rabidly anti-MS.
Our FW/network admins are rabidly anti-MS.
You can control the ports, but is this required? What kinda of authentication are oyu looking for