Active Directory authentication through a firewall.

We're kicking around the idea of setting up an active directory in a dmz that's protected from the internet and let some systems in another dmz (not protected from the internet) authenticate against it.  Opening up ports between the dmz's isn't really an option as far as I've seen because it appears you have to open everything over 1025 which I know my fw admins won't do (and I'd never ask them).

Is it possible to have them tunnel through the firewall for authentication/group policy/updates but have all other traffic go straight out to the internet?
LVL 1
nstd-stsAsked:
Who is Participating?
 
LauraEHunterMVPCommented:
Before I would allow AD auth traffic to cross my DMZ, I would deploy a dedicated AD -within- that DMZ to allow for centralized administration.  If some of my higher-level network admins needed to maintain multiple sets of credentials because I've deployed multiple AD environments, I would call that a small price to pay for network segregation.
0
 
BSonPoshCommented:
You can use IPSEC tunnel or VPN, but firewall Admins hate that even more. Traffic you cant see is evil.

You can control the ports, but is this required? What kinda of authentication are oyu looking for
0
 
LauraEHunterMVPCommented:
> "Is it possible to have them tunnel through the firewall for authentication/group policy/updates but have all other traffic go straight out to the internet?"

This is referred to as "split-tunnelling", and your firewall admins may hate that just as much as anything else.

If this is only for auth for web-based applications, take a look at Active Directory Federated Services (ADFS) - conceptually it's like a trust relationship without opening up all of those pesky high-numbered ports.  ADFS won't help you for workstation auth, though, in that case site-to-site VPN is your best bet.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
nstd-stsAuthor Commented:
So we have systems in the unprotected dmz (and by unprotected I mean certain ports are naked to the internet but not all) that push or pull mountains of data from remote sites.  This is about five racks of 2k/2k3 servers connected to a few terabytes of storage.  Currently we're using local authentication on each box and administration is getting out of hand.  Too many developers with admin rights where they don't necessarily need it, too many boxes missing updates.  We'd like to put these boxes into a domain and centralize the administration.
0
 
nstd-stsAuthor Commented:
Ah, I see, we'd be effectively negating the firewall between the two dmz's if one of the unprotected systems got owned.
0
 
LauraEHunterMVPCommented:
Bingo.  Never underestimate what a hacker can do if given a trusted connection between machineA and machineB.  Most compromises of Active Directory don't start at the domain controller, they start at some crummy little workstation that somebody forgot to patch.
0
 
nstd-stsAuthor Commented:
Thanks.  This should be fun.  

Our FW/network admins are rabidly anti-MS.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.