Link to home
Start Free TrialLog in
Avatar of FelipeSchneider
FelipeSchneider

asked on

ACL that permit only authentication in domain

I have a webserver on DMZ, and this webserver needs to authenticate on ActiveDirectory server (on my backoffice).

What ports/protocols I need to to ONLY this authorization? I need to restrict all other access (file sharing, etc) from Webserver to AD.

Thank you,

Felipe.
Avatar of shairozan
shairozan
Flag of United States of America image
Hey there,

Check this link

http://technet.microsoft.com/en-us/library/bb125069(EXCHG.65).aspx

And see if the section under active directory is helpful :) Basically, it's ports:

389/TCP
      

LDAP to Directory Service

389/UDP
      

 

3268/TCP
      

LDAP to Global Catalog Server

88/TCP
      

Kerberos Authentication

88/UDP
Avatar of shairozan
shairozan
Flag of United States of America image
I'm not sure about the PIX, but on the ASA, these are abbreviated as service set domain, ie

access-list ad_auth extended permit int dmz int inside eq domain
Avatar of Giladn
Giladn
Flag of Israel image
Port 389  should be enough for a query for auth.

Gilad
SOLUTION
Avatar of rochey2009
rochey2009
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Giladn
Giladn
Flag of Israel image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of FelipeSchneider
FelipeSchneider

ASKER

Strange, I´ve open the following ports:

KerberosTCP 88, UDP 88
DNSTCP 53, UDP 53
LDAPTCP 389, UDP 389
LDAP over SSLTCP 636
SMB over IPTCP 445, UDP 445

But the computer dont enter in the domain correctly. I have a shared folder on the webserver, that I access from my back office DFS, and if I dont create a rule ANY - ANY  on DMZ interface, the webserver apparently dont login on the domain, and the files arent visible from the backoffice.

Any suggestion?
Avatar of rochey2009
rochey2009
There is security issue if the web server gets compromised.
Avatar of FelipeSchneider
FelipeSchneider

ASKER

"query  remote AD using those ports - just to check if the recipient matches a user in AD."

Yes, its exactly what I need. I need only the webserver join the domain, but all others functions/ports must be disabled.

The access will be enabled is from backoffice TO dmz.
Avatar of Giladn
Giladn
Flag of Israel image
Rochey2009 is right, don't do it, you will be exposed to XSS and many kind of Web attacks and web API attacks easily.
what is the point to put a computer in your DMZ and logging it to the domain? the services and process will run on the user's permissions.

Avatar of FelipeSchneider
FelipeSchneider

ASKER

I need to access a shared folder in the DMZ from my backoffice machines. And I need to access this folder with the user permissions on AD.

Any idea?
Avatar of Giladn
Giladn
Flag of Israel image
yes.
share another folder on an internal server and replicate\sync them.
Avatar of FelipeSchneider
FelipeSchneider

ASKER

I did it in the past, but the problem is that I need the publication of archives is online.

Another suggestion would be to leave the standalone webserver, and allow it to access the folders on the file server. For that I would release only the ports to the files share from WEBSERVER to FILESERVER.

What do you think?
Avatar of ARK-DS
ARK-DS
HI,
I dont see the port 123 open. This is for windows time (NTP). If the server is not in sync in terms of time, it will not authenticate as kerberos depends on time.

You can also take a Netmon Trace to see what is happening... .

I woudl also suggest to open 3268 for GC.

Regards,
Arun.
ASKER CERTIFIED SOLUTION
Avatar of FelipeSchneider
FelipeSchneider
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Giladn
Giladn
Flag of Israel image
one of the better options in your situation.

Good luck