FelipeSchneider
asked on
ACL that permit only authentication in domain
I have a webserver on DMZ, and this webserver needs to authenticate on ActiveDirectory server (on my backoffice).
What ports/protocols I need to to ONLY this authorization? I need to restrict all other access (file sharing, etc) from Webserver to AD.
Thank you,
Felipe.
What ports/protocols I need to to ONLY this authorization? I need to restrict all other access (file sharing, etc) from Webserver to AD.
Thank you,
Felipe.
I'm not sure about the PIX, but on the ASA, these are abbreviated as service set domain, ie
access-list ad_auth extended permit int dmz int inside eq domain
access-list ad_auth extended permit int dmz int inside eq domain
Port 389 should be enough for a query for auth.
Gilad
Gilad
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Strange, I´ve open the following ports:
KerberosTCP 88, UDP 88
DNSTCP 53, UDP 53
LDAPTCP 389, UDP 389
LDAP over SSLTCP 636
SMB over IPTCP 445, UDP 445
But the computer dont enter in the domain correctly. I have a shared folder on the webserver, that I access from my back office DFS, and if I dont create a rule ANY - ANY on DMZ interface, the webserver apparently dont login on the domain, and the files arent visible from the backoffice.
Any suggestion?
KerberosTCP 88, UDP 88
DNSTCP 53, UDP 53
LDAPTCP 389, UDP 389
LDAP over SSLTCP 636
SMB over IPTCP 445, UDP 445
But the computer dont enter in the domain correctly. I have a shared folder on the webserver, that I access from my back office DFS, and if I dont create a rule ANY - ANY on DMZ interface, the webserver apparently dont login on the domain, and the files arent visible from the backoffice.
Any suggestion?
There is security issue if the web server gets compromised.
ASKER
"query remote AD using those ports - just to check if the recipient matches a user in AD."
Yes, its exactly what I need. I need only the webserver join the domain, but all others functions/ports must be disabled.
The access will be enabled is from backoffice TO dmz.
Yes, its exactly what I need. I need only the webserver join the domain, but all others functions/ports must be disabled.
The access will be enabled is from backoffice TO dmz.
Rochey2009 is right, don't do it, you will be exposed to XSS and many kind of Web attacks and web API attacks easily.
what is the point to put a computer in your DMZ and logging it to the domain? the services and process will run on the user's permissions.
what is the point to put a computer in your DMZ and logging it to the domain? the services and process will run on the user's permissions.
ASKER
I need to access a shared folder in the DMZ from my backoffice machines. And I need to access this folder with the user permissions on AD.
Any idea?
Any idea?
yes.
share another folder on an internal server and replicate\sync them.
share another folder on an internal server and replicate\sync them.
ASKER
I did it in the past, but the problem is that I need the publication of archives is online.
Another suggestion would be to leave the standalone webserver, and allow it to access the folders on the file server. For that I would release only the ports to the files share from WEBSERVER to FILESERVER.
What do you think?
Another suggestion would be to leave the standalone webserver, and allow it to access the folders on the file server. For that I would release only the ports to the files share from WEBSERVER to FILESERVER.
What do you think?
HI,
I dont see the port 123 open. This is for windows time (NTP). If the server is not in sync in terms of time, it will not authenticate as kerberos depends on time.
You can also take a Netmon Trace to see what is happening... .
I woudl also suggest to open 3268 for GC.
Regards,
Arun.
I dont see the port 123 open. This is for windows time (NTP). If the server is not in sync in terms of time, it will not authenticate as kerberos depends on time.
You can also take a Netmon Trace to see what is happening... .
I woudl also suggest to open 3268 for GC.
Regards,
Arun.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
one of the better options in your situation.
Good luck
Good luck
Check this link
http://technet.microsoft.com/en-us/library/bb125069(EXCHG.65).aspx
And see if the section under active directory is helpful :) Basically, it's ports:
389/TCP
LDAP to Directory Service
389/UDP
3268/TCP
LDAP to Global Catalog Server
88/TCP
Kerberos Authentication
88/UDP