Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Why Server in DMZ can't join domain (DC in Internal) in 3-leg network?

Posted on 2008-09-29
5
4,718 Views
Last Modified: 2013-12-24
View my attachment for more information about my network.

I have configured ISA Server 2006 as standalone server (not joined domain). To communicate between all network, I open LDAP ports (all about LDAP).
ISA Server has recognized LDAP users from DC. Here is all rules I have configured in ISA server:

[rule name] ; [Action] ; [Protocol] ; [From] ; [To] ; [Condition]
1. Allow Ping ; Allow ; PING ; Internal, Perimeter, VPN Clients; External, Localhost, Perimeter, Internal; All Users
2. Allow LDAP; Allow, LDAP, LDAP (UDP), LDAP GC, LDAPS, LDAPS GC; Internal, Perimeter, VPN Clients; Localhost; All users
3. Web Access Only; Allow; FTP, HTTP, HTTPS; Internal, VPN Clients; External, Perimeter; All users
4. VPN clients to Internal; Allow; All outbound; VPN Clients; Internal; All users
5. Allow DNS; Allow; DNS; Internal, VPN Clients; Perimeter, External; All users

I have configured one more rule to test like that:
6. test; Allow; All outbound; Perimeter; Internal, Localhost; All users

So my trouble is Server in DMZ can't join domain, can not ping to SV1 (DC)...
Because i want to create Mail Exchange 2007 Server in DMZ, and it must joined domain to continue install process.

I guess servers in DMZ can't recognize SV1 in Internal because they don't have DNS to know who is SV1, but why I can't ping to sv1? How can I configured to let servers in DMZ communicate with DC in Internal?

Please help me.
Topology-3.png
0
Comment
Question by:vietpa
  • 2
  • 2
5 Comments
 
LVL 8

Expert Comment

by:anil_u
ID: 22603592
The most likely reason why you cannot join the domain is NOT because of DNS but because FW1 cannot see SV1. This is a networking problem. Both FW1 and SV1 have a subnet of 255.255.255.0 and fw1 is on 192.168.3.0 and SV1 is on 192.168.2.0 i.e two different networks. Is the device between the two a router. Has this been configured to allow traffic between the two networks?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22604577

> Because i want to create Mail Exchange 2007 Server in DMZ, and it must joined domain
> to continue install process.

Hmm I recommend you do not do this. It doesn't give you any additional security while adding a great deal of complication.

The thing is, you need so much open for Exchange to talk to AD that isolating the Exchange Server in the DMZ doesn't really improve security. Bear in mind that we must include RPC as well as services like MAPI for clients.

You would be better using a Proxy Server (like ISA Server) to publish OWA and any other public services from the private network (in my opinion).

Chris
0
 
LVL 8

Expert Comment

by:anil_u
ID: 22604613
Please ignore my comment - just had a proper look at your diagram :)
0
 

Accepted Solution

by:
vietpa earned 0 total points
ID: 22605163
Hi Chris,

You say that I had better using Proxy Server (like ISA Server). In my topology, I'm using ISA Server 2006, and I'll publish Web Server & Mail Server in DMZ. I put these servers in DMZ because I want to secure them from both Internal Users and External Users. I think if it's put in Internal, i can't manage them from internal access.
In addition, I'll use GFI for ISA Server as Proxy Server in near future.

Return to my problem. Now I've solved it. Mail Server in DMZ can join domain to DC in Internal.
Here is my solution:
- Go to Configuration > Network
- Add new network rule to use NAT from Perimeter to Internal.
- Open some ports (RPC, Microsoft CIFS, Kerberos-Sec, LDAP)

Is it secure when I open NAT from Perimeter to Internal? Is it secure when Mail Server put in Perimeter or Internal, where is more secure? Would you let's me know clearly about this, Chris?
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 100 total points
ID: 22606058

> Is it secure when Mail Server put in Perimeter or Internal

It very much depends on your reason for putting it there.

DMZ implies an area of the network for direct public access. Given that your Exchange Server needs a high degree of access to the internal network this is not generally a secure approach as you have to make a large number of holes in the Firewall.

That means that if the DMZ is compromised then the hop to the internal domain is a short one.

In terms of providing (public) inbound access to OWA you would certainly be better proxying / publishing it through ISA if you haven't already.

For restricting internal user account, I guess it depends on what you think your internal users might attack?

Chris
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question