?
Solved

Active Directory authentication through a firewall.

Posted on 2007-09-28
7
Medium Priority
?
5,291 Views
Last Modified: 2011-09-20
We're kicking around the idea of setting up an active directory in a dmz that's protected from the internet and let some systems in another dmz (not protected from the internet) authenticate against it.  Opening up ports between the dmz's isn't really an option as far as I've seen because it appears you have to open everything over 1025 which I know my fw admins won't do (and I'd never ask them).

Is it possible to have them tunnel through the firewall for authentication/group policy/updates but have all other traffic go straight out to the internet?
0
Comment
Question by:nstd-sts
  • 3
  • 3
7 Comments
 
LVL 18

Expert Comment

by:BSonPosh
ID: 19982213
You can use IPSEC tunnel or VPN, but firewall Admins hate that even more. Traffic you cant see is evil.

You can control the ports, but is this required? What kinda of authentication are oyu looking for
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 19982249
> "Is it possible to have them tunnel through the firewall for authentication/group policy/updates but have all other traffic go straight out to the internet?"

This is referred to as "split-tunnelling", and your firewall admins may hate that just as much as anything else.

If this is only for auth for web-based applications, take a look at Active Directory Federated Services (ADFS) - conceptually it's like a trust relationship without opening up all of those pesky high-numbered ports.  ADFS won't help you for workstation auth, though, in that case site-to-site VPN is your best bet.
0
 
LVL 1

Author Comment

by:nstd-sts
ID: 19982275
So we have systems in the unprotected dmz (and by unprotected I mean certain ports are naked to the internet but not all) that push or pull mountains of data from remote sites.  This is about five racks of 2k/2k3 servers connected to a few terabytes of storage.  Currently we're using local authentication on each box and administration is getting out of hand.  Too many developers with admin rights where they don't necessarily need it, too many boxes missing updates.  We'd like to put these boxes into a domain and centralize the administration.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 2000 total points
ID: 19982292
Before I would allow AD auth traffic to cross my DMZ, I would deploy a dedicated AD -within- that DMZ to allow for centralized administration.  If some of my higher-level network admins needed to maintain multiple sets of credentials because I've deployed multiple AD environments, I would call that a small price to pay for network segregation.
0
 
LVL 1

Author Comment

by:nstd-sts
ID: 19982306
Ah, I see, we'd be effectively negating the firewall between the two dmz's if one of the unprotected systems got owned.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 19982430
Bingo.  Never underestimate what a hacker can do if given a trusted connection between machineA and machineB.  Most compromises of Active Directory don't start at the domain controller, they start at some crummy little workstation that somebody forgot to patch.
0
 
LVL 1

Author Comment

by:nstd-sts
ID: 20037153
Thanks.  This should be fun.  

Our FW/network admins are rabidly anti-MS.  
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question