Why Server in DMZ can't join domain (DC in Internal) in 3-leg network?
View my attachment for more information about my network.
I have configured ISA Server 2006 as standalone server (not joined domain). To communicate between all network, I open LDAP ports (all about LDAP).
ISA Server has recognized LDAP users from DC. Here is all rules I have configured in ISA server:
[rule name] ; [Action] ; [Protocol] ; [From] ; [To] ; [Condition]
1. Allow Ping ; Allow ; PING ; Internal, Perimeter, VPN Clients; External, Localhost, Perimeter, Internal; All Users
2. Allow LDAP; Allow, LDAP, LDAP (UDP), LDAP GC, LDAPS, LDAPS GC; Internal, Perimeter, VPN Clients; Localhost; All users
3. Web Access Only; Allow; FTP, HTTP, HTTPS; Internal, VPN Clients; External, Perimeter; All users
4. VPN clients to Internal; Allow; All outbound; VPN Clients; Internal; All users
5. Allow DNS; Allow; DNS; Internal, VPN Clients; Perimeter, External; All users
I have configured one more rule to test like that:
6. test; Allow; All outbound; Perimeter; Internal, Localhost; All users
So my trouble is Server in DMZ can't join domain, can not ping to SV1 (DC)...
Because i want to create Mail Exchange 2007 Server in DMZ, and it must joined domain to continue install process.
I guess servers in DMZ can't recognize SV1 in Internal because they don't have DNS to know who is SV1, but why I can't ping to sv1? How can I configured to let servers in DMZ communicate with DC in Internal?
Please help me.
Topology-3.png
I have configured ISA Server 2006 as standalone server (not joined domain). To communicate between all network, I open LDAP ports (all about LDAP).
ISA Server has recognized LDAP users from DC. Here is all rules I have configured in ISA server:
[rule name] ; [Action] ; [Protocol] ; [From] ; [To] ; [Condition]
1. Allow Ping ; Allow ; PING ; Internal, Perimeter, VPN Clients; External, Localhost, Perimeter, Internal; All Users
2. Allow LDAP; Allow, LDAP, LDAP (UDP), LDAP GC, LDAPS, LDAPS GC; Internal, Perimeter, VPN Clients; Localhost; All users
3. Web Access Only; Allow; FTP, HTTP, HTTPS; Internal, VPN Clients; External, Perimeter; All users
4. VPN clients to Internal; Allow; All outbound; VPN Clients; Internal; All users
5. Allow DNS; Allow; DNS; Internal, VPN Clients; Perimeter, External; All users
I have configured one more rule to test like that:
6. test; Allow; All outbound; Perimeter; Internal, Localhost; All users
So my trouble is Server in DMZ can't join domain, can not ping to SV1 (DC)...
Because i want to create Mail Exchange 2007 Server in DMZ, and it must joined domain to continue install process.
I guess servers in DMZ can't recognize SV1 in Internal because they don't have DNS to know who is SV1, but why I can't ping to sv1? How can I configured to let servers in DMZ communicate with DC in Internal?
Please help me.
Topology-3.png
The most likely reason why you cannot join the domain is NOT because of DNS but because FW1 cannot see SV1. This is a networking problem. Both FW1 and SV1 have a subnet of 255.255.255.0 and fw1 is on 192.168.3.0 and SV1 is on 192.168.2.0 i.e two different networks. Is the device between the two a router. Has this been configured to allow traffic between the two networks?
> Because i want to create Mail Exchange 2007 Server in DMZ, and it must joined domain
> to continue install process.
Hmm I recommend you do not do this. It doesn't give you any additional security while adding a great deal of complication.
The thing is, you need so much open for Exchange to talk to AD that isolating the Exchange Server in the DMZ doesn't really improve security. Bear in mind that we must include RPC as well as services like MAPI for clients.
You would be better using a Proxy Server (like ISA Server) to publish OWA and any other public services from the private network (in my opinion).
Chris
Please ignore my comment - just had a proper look at your diagram :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.