Isolating a server in a domain

I have an overseas vendor that I would like to allow access into our domain for code drops and pickups using VPN and keep them from seeing devices and have access to applications and data in the rest of the domain.

I am thinking of a stand alone server not joined to the domain.  Is this the only / best approach.
ITGITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

loftywormCommented:
Have you considered using IPSec?
deployed from GPO on the host or to the domain, either way it should work.
0
remmett70Commented:
What does the vendor need to do?  Run applications on the one server or just move code in and out?  If they just need to move code and don't need desktop access or anything maybe access through FTP only.
0
ITGITAuthor Commented:
Using SVN to check in and out code and if I add these folks to AD and give them VPN credentials they can easily browse and find shares and other non secure items on the network.

So I want to allow them to use SVN "subversion" and NOT see the network schtuffs
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

javiersantanaCommented:
Just add that user account into a seperate OU. Make sure he isn't in any of the groups that are allowed to log on to computer via the network ( this should be under user rights assignment ) or interractively. If he needs to UNC into that one server for any reason, move that server into a seperate OU. Then create a gpo so that the group he is in is allowed to browse to the server.

Hope this makes sense.
0
zorionterrellCommented:
If its only for Subversion then you dont even need to allow that person direct access to the box.
Get another IP from your ISP. Assign it as a Virtual IP on your Firewall. Setup NAT for web ports (or what ever ports you use) from the virtual IP to the Subversion box. Make sure you set the pass rules on your FW as well.

I have a setup like this running at our buisness for our programmer. On our web server we also created a virtual host (subv.company.com) with the DNS pointing to the Virtual IP.
0
ITGITAuthor Commented:
zorionterrell:

So then I can join a new server that my PE team wants to use and own into the domain to make it easier to run other tools and apps like cruise control and jira and etc and then via my ASA I can use an external IP access rule and nat it to the box per FTP / WEB or whatever ports required.

The outside folks could then drop and retrieve code secure from our domain.
0
zorionterrellCommented:
Correct. You limit what they can access to without exposing your entire network to net.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.