• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 228
  • Last Modified:

Isolating a server in a domain

I have an overseas vendor that I would like to allow access into our domain for code drops and pickups using VPN and keep them from seeing devices and have access to applications and data in the rest of the domain.

I am thinking of a stand alone server not joined to the domain.  Is this the only / best approach.
1 Solution
Have you considered using IPSec?
deployed from GPO on the host or to the domain, either way it should work.
What does the vendor need to do?  Run applications on the one server or just move code in and out?  If they just need to move code and don't need desktop access or anything maybe access through FTP only.
ITGITAuthor Commented:
Using SVN to check in and out code and if I add these folks to AD and give them VPN credentials they can easily browse and find shares and other non secure items on the network.

So I want to allow them to use SVN "subversion" and NOT see the network schtuffs
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Just add that user account into a seperate OU. Make sure he isn't in any of the groups that are allowed to log on to computer via the network ( this should be under user rights assignment ) or interractively. If he needs to UNC into that one server for any reason, move that server into a seperate OU. Then create a gpo so that the group he is in is allowed to browse to the server.

Hope this makes sense.
If its only for Subversion then you dont even need to allow that person direct access to the box.
Get another IP from your ISP. Assign it as a Virtual IP on your Firewall. Setup NAT for web ports (or what ever ports you use) from the virtual IP to the Subversion box. Make sure you set the pass rules on your FW as well.

I have a setup like this running at our buisness for our programmer. On our web server we also created a virtual host (subv.company.com) with the DNS pointing to the Virtual IP.
ITGITAuthor Commented:

So then I can join a new server that my PE team wants to use and own into the domain to make it easier to run other tools and apps like cruise control and jira and etc and then via my ASA I can use an external IP access rule and nat it to the box per FTP / WEB or whatever ports required.

The outside folks could then drop and retrieve code secure from our domain.
Correct. You limit what they can access to without exposing your entire network to net.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now