Solved

Isolating a server in a domain

Posted on 2009-07-14
7
221 Views
Last Modified: 2012-05-07
I have an overseas vendor that I would like to allow access into our domain for code drops and pickups using VPN and keep them from seeing devices and have access to applications and data in the rest of the domain.

I am thinking of a stand alone server not joined to the domain.  Is this the only / best approach.
0
Comment
Question by:ITGIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 11

Expert Comment

by:loftyworm
ID: 24855367
Have you considered using IPSec?
deployed from GPO on the host or to the domain, either way it should work.
0
 
LVL 10

Expert Comment

by:remmett70
ID: 24855603
What does the vendor need to do?  Run applications on the one server or just move code in and out?  If they just need to move code and don't need desktop access or anything maybe access through FTP only.
0
 

Author Comment

by:ITGIT
ID: 24855878
Using SVN to check in and out code and if I add these folks to AD and give them VPN credentials they can easily browse and find shares and other non secure items on the network.

So I want to allow them to use SVN "subversion" and NOT see the network schtuffs
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 2

Expert Comment

by:javiersantana
ID: 24856195
Just add that user account into a seperate OU. Make sure he isn't in any of the groups that are allowed to log on to computer via the network ( this should be under user rights assignment ) or interractively. If he needs to UNC into that one server for any reason, move that server into a seperate OU. Then create a gpo so that the group he is in is allowed to browse to the server.

Hope this makes sense.
0
 
LVL 2

Expert Comment

by:zorionterrell
ID: 24862185
If its only for Subversion then you dont even need to allow that person direct access to the box.
Get another IP from your ISP. Assign it as a Virtual IP on your Firewall. Setup NAT for web ports (or what ever ports you use) from the virtual IP to the Subversion box. Make sure you set the pass rules on your FW as well.

I have a setup like this running at our buisness for our programmer. On our web server we also created a virtual host (subv.company.com) with the DNS pointing to the Virtual IP.
0
 

Author Comment

by:ITGIT
ID: 24864287
zorionterrell:

So then I can join a new server that my PE team wants to use and own into the domain to make it easier to run other tools and apps like cruise control and jira and etc and then via my ASA I can use an external IP access rule and nat it to the box per FTP / WEB or whatever ports required.

The outside folks could then drop and retrieve code secure from our domain.
0
 
LVL 2

Accepted Solution

by:
zorionterrell earned 250 total points
ID: 24864303
Correct. You limit what they can access to without exposing your entire network to net.
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question