Solved

How to join workstations to domain via WAN without VPN or RRAS

Posted on 2008-10-15
17
1,082 Views
Last Modified: 2013-12-24
I am creating a new Windows Network with many external users, and I do not want users to authenticate via vpn or rras. I want them to be able to join and login to the domain via WAN to the Primary DC.

Does anyone know how? I will be placing a firewall between the PDC and WAN.
0
Comment
Question by:lbeg
  • 6
  • 3
  • 3
  • +3
17 Comments
 
LVL 9

Expert Comment

by:Housammuhanna
ID: 22723916
MMMM, a link must be exist so the client can connect to server and DNS
if you dont want to have anything like this then you can have a Child domain in the remote site and the user auth. with that one, and let the replication happend for a few hours using the VPN
the VPN is one of the most secure communication method
 
0
 
LVL 1

Author Comment

by:lbeg
ID: 22724304
I would like to go through the firewall so users can authenticate/join via the wan connection, not vpn.

Does anyone have experience with this?
0
 
LVL 7

Expert Comment

by:DenisCooper
ID: 22724571
what sort of link are you putting in place? if going over the internet, the only way is VPN - otherwise you would have to create external DNS entries etc for your AD - have an exernal DNS server, thus making a very insecure network.

If you are using a direct link - ie leased line / fiber etc then you would need to open the ports up on your firewall. By direct link i mean litterally a link from one building to another - which from your questioin, i don't think is what you are wanting to do.
0
 
LVL 3

Expert Comment

by:Azyre
ID: 22724619
Well in order for the clients to connect to your DC they need to get through your firewall in the first place as the computers need to be on the same network in order to communicate with the domain, ie. they need to be able to communicate.  (Thus VPN, Virtual Private Network)  Rather than have a VPN you can have users connect to your domain servers via other routes and there are a few of them.  Citrix, RDP, ect, but you still need something to tell the users computers where on the web to connect so that they can access the domain.  

From what it sounds like you are trying to do you can have the users authenticate to your domain through RDP (Remote Desktop Protocol) but you will require a terminal server in order for the users to connect.  You will also need to open the ports on the firewall for the users to connect through.

Take a look at :

http://www.windowsnetworking.com/articles_tutorials/Overview-Terminal-Services.html
http://www.microsoft.com/windowsserver2008/en/us/ts-product-home.aspx

0
 
LVL 1

Author Comment

by:lbeg
ID: 22724628
i'm thinking along the lines of a "hosted" solution, except only 1 server.

I have the capability for running external dns - i actually setup the domain using an external dns domain name, so...
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22724651
Are you referring to performing domain joins and auth over the Internet, without using a VPN?

Worst idea on record. Will require opening up far too many high-risk ports on your firewall, and odds are good that an intermediate router between you and your clients will be blocking one or more of said high-risk ports.

Exactly what services are you trying to expose to your clients, as there's probably a much better way to reach whatever your end-game is. If you want to expose email functionality, there's OWA for webmail or OutlookAnywhere for the thick client, neither of which require direct Internet WAN authentication when designed properly. That's an example for one specific service; depending on your needs, there will be others.
0
 
LVL 1

Author Comment

by:lbeg
ID: 22724692
Wow guys. Please keep on-topic. I didn't ask for opinions. I am aware of the security, but with a proper firewall for dos attacks, port blocking, etc and proper authentication via active directory, I think I'll be O.K.

Quoted from Iron Man, "This isn't my first rodeo."
0
 
LVL 3

Expert Comment

by:Azyre
ID: 22724704
you can't just throw a DC out on the internet and have users connect to it.  (Well you can, but you'd have no way of managing which users are yours and which ones are hackers, and even attempting to do something like that would make hackers all over the world smile.)  You need to have some sort of user authentication onto your network and something to manage that authentication as well.

Also as you are going to have "lots" of external users you are going to need a solution powerful enough to manage all of the data packets from all of the users simultaneously.   I believe both Citrix and M$-TS have a suggested limit of 32 concurrent sessions per average server.   (4 Gigs ram / good  to high end processor.)
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 1

Author Comment

by:lbeg
ID: 22724725
I'm closing this question. No good is coming from it.
0
 
LVL 16

Expert Comment

by:robrandon
ID: 22724780
"Wow guys. Please keep on-topic. I didn't ask for opinions. I am aware of the security, but with a proper firewall for dos attacks, port blocking, etc and proper authentication via active directory, I think I'll be O.K."

lbeg - your comment doesn't make sense.  In order to accomplish what you want, you will not be able to do any port blocking.  According to your goals, anyone on the internet will be able to access the services you would normally protect with a firewall.  You mind as well not use a firewall at all.

The expert comments here were provided to steer you in a better direction than you are going.  What you have in mind is a very bad idea.  You should really consider using either a VPN or Citrix solution.

0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22724781
I don't consider offering security advice to be "off-topic", particularly when what you are espousing is a pretty horrific plan.  If you are "aware of the security" then you wouldn't even be considering the scenario that you're describing, full-stop.

From a standpoint of professional ethics, it's my job to offer you the best advice possible, and the best advice in this scenario is "Find another way to do what you are considering." See my previous, in re: determine what services you intend to offer to your clients, and then determine the best mechanism for doing so securely. (The answer to the latter will in no case be "Allow direct connections to an writeable domain controller over the Internet.")
0
 
LVL 3

Expert Comment

by:Azyre
ID: 22724789
---> lbeg:
Quoted from Iron Man, "This isn't my first rodeo."


-->
Quoted from my wife, "If you want to wrestle a bull and everyone is telling you, 'don't wrestle that bull, it's simply not possible' you really should think twice before wrestling that bull."
0
 
LVL 7

Accepted Solution

by:
DenisCooper earned 500 total points
ID: 22724965
i'll try and make a sensible comment - i understand what you want to do, but this realy isn't pheasible. Yes if you want an open network, then you can do it, although it won't be reliable. Microsoft don't actually recommend using the same extenal DNS with your internal network - although it can be done.

Your AD DC would need to be infront of the firewal. You would have to open all ports to the DC - as replication / authentication / dns / kerberos etc won't work correctly behind a fiewall. It would be hard to even have one DC out on the network and the others behind the firewall as it just doesn't really function.

I think your best bet is to use some sort of tunneling software - VPN, or as mentioned above using citrix or RDP. These work fine behind a firewall and would so the same job you want.

Let me know if can help any more.
0
 
LVL 1

Author Closing Comment

by:lbeg
ID: 31506420
Thanks Denis.
0
 
LVL 16

Expert Comment

by:robrandon
ID: 22795005
FYI, this very setup is open to the exploit that MS has released an out of cycle security update for.

0
 
LVL 1

Author Comment

by:lbeg
ID: 22795961
ROBRANDON,
Thank you so much for the info. Do you have a link to the out of cycle security update?
0
 
LVL 16

Expert Comment

by:robrandon
ID: 22796307
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now