Solved

How to use LDAP authentication on a FTP server (DMZ) - setup and lay out question?

Posted on 2010-08-28
6
1,591 Views
Last Modified: 2013-12-09

Hi,

I was wondering if someone could give some advise about the following.

We currently have an FTP server which does not belong to our network and is being access with local accounts.

Because business needs the FTP server has to be accessed now via the AD. In order to do that we wanted to place it on the DMZ behind our firewall and use an FTP product that will allow us to secure it (SFTP) and that is AD aware.

We are trying to understand how do we need to perform the lay out so that the AD is not exposed to internet and the users can authenticate from the internet to the FTP with their AD accounts.

I was wondering if someone could give some advise about different ways to set this up securely with a secure FTP product.

Does anyone has performed something similiar to this setup and could provide some advise?

Any suggestions about products that we could use in order to perform the setup will be also welcome (either Windows FTP or 3rd party apps)

Thank you
0
Comment
Question by:llarava
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33551502
Cerberus FTP server supports LDAP authentication: http://www.cerberusftp.com/help/ldap_authentication.html
0
 

Author Comment

by:llarava
ID: 33553580
Thank you. I was already looking at this product since WS_FTP (LDAP aware version) is far away from out budget.

Do you have any suggestion on how should be go with the lay out of FTP server (DMZ, firewall, ports to be opened) and the security that we need to configured in order to allow the authentication to happen with the DCs?
0
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33553854
FTP uses two ports during transmission.  Port 21 is the normal connection port and then a random port in a range configured by the FTP server is used.  For instance, you could use range 5000 - 6000 for your data ports.  Traditionally, connected users use port 21 and a unique port in the range specified.  So user 1 would have 21 and 5001 and user 2 would have 21 and 5002.

From the public side, only port 21 and your data port range needs to be open in the firewall.  Internally, the FTP server needs to have access to the LDAP server via port 389 (unless you have customized this).

Here is another FTP server software that might work better.  The edition that allows LDAP and Active Directory authentication is less than $200: http://www.xlightftpd.com/tutorial/ldap_eDirectory.html   http://www.xlightftpd.com/purchase.htm
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 
LVL 1

Expert Comment

by:scameron447
ID: 33554975
The GC is where servers will look to authenticate users.  You will need this to authenticate properly, and make sure you don't have this on a server with the Infrastructure Master Role.  If you do, that copy of AD will not replicate.
 
0
 

Author Comment

by:llarava
ID: 33657072
chapmanjw,

FTP is not be an option since it will no be secure enough. I am planning to go with an SFTP (SSH FTP) the default port is 22.  There are no data ports with SFTP which is one of the reasons it is more firewall friendly than FTP.  Command and data information is all sent over the same connection.

From the public side, only port 22 needs to be open in the firewall no data ports will be needed and the users will be able to access and get the data over this port.  Internally, the SFTP server needs to have access to the DC servers via port 389.

Does that make sense?


0
 
LVL 21

Accepted Solution

by:
chapmanjw earned 500 total points
ID: 33658216
Yes, that is correct.
1

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question