Solved

How to use LDAP authentication on a FTP server (DMZ) - setup and lay out question?

Posted on 2010-08-28
6
1,561 Views
Last Modified: 2013-12-09

Hi,

I was wondering if someone could give some advise about the following.

We currently have an FTP server which does not belong to our network and is being access with local accounts.

Because business needs the FTP server has to be accessed now via the AD. In order to do that we wanted to place it on the DMZ behind our firewall and use an FTP product that will allow us to secure it (SFTP) and that is AD aware.

We are trying to understand how do we need to perform the lay out so that the AD is not exposed to internet and the users can authenticate from the internet to the FTP with their AD accounts.

I was wondering if someone could give some advise about different ways to set this up securely with a secure FTP product.

Does anyone has performed something similiar to this setup and could provide some advise?

Any suggestions about products that we could use in order to perform the setup will be also welcome (either Windows FTP or 3rd party apps)

Thank you
0
Comment
Question by:llarava
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33551502
Cerberus FTP server supports LDAP authentication: http://www.cerberusftp.com/help/ldap_authentication.html
0
 

Author Comment

by:llarava
ID: 33553580
Thank you. I was already looking at this product since WS_FTP (LDAP aware version) is far away from out budget.

Do you have any suggestion on how should be go with the lay out of FTP server (DMZ, firewall, ports to be opened) and the security that we need to configured in order to allow the authentication to happen with the DCs?
0
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33553854
FTP uses two ports during transmission.  Port 21 is the normal connection port and then a random port in a range configured by the FTP server is used.  For instance, you could use range 5000 - 6000 for your data ports.  Traditionally, connected users use port 21 and a unique port in the range specified.  So user 1 would have 21 and 5001 and user 2 would have 21 and 5002.

From the public side, only port 21 and your data port range needs to be open in the firewall.  Internally, the FTP server needs to have access to the LDAP server via port 389 (unless you have customized this).

Here is another FTP server software that might work better.  The edition that allows LDAP and Active Directory authentication is less than $200: http://www.xlightftpd.com/tutorial/ldap_eDirectory.html   http://www.xlightftpd.com/purchase.htm
0
Windows running painfully slow? Try these tips..

Stay away from Speed Up Computer Programs that do more harm than good.
Try these tips instead.
Step by step instructions in trouble shooting Windows Performance issues.

 
LVL 1

Expert Comment

by:scameron447
ID: 33554975
The GC is where servers will look to authenticate users.  You will need this to authenticate properly, and make sure you don't have this on a server with the Infrastructure Master Role.  If you do, that copy of AD will not replicate.
 
0
 

Author Comment

by:llarava
ID: 33657072
chapmanjw,

FTP is not be an option since it will no be secure enough. I am planning to go with an SFTP (SSH FTP) the default port is 22.  There are no data ports with SFTP which is one of the reasons it is more firewall friendly than FTP.  Command and data information is all sent over the same connection.

From the public side, only port 22 needs to be open in the firewall no data ports will be needed and the users will be able to access and get the data over this port.  Internally, the SFTP server needs to have access to the DC servers via port 389.

Does that make sense?


0
 
LVL 21

Accepted Solution

by:
chapmanjw earned 500 total points
ID: 33658216
Yes, that is correct.
1

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Evaluating Enterprise Antivirus solutions 2 75
Barracuda WAF Training? 2 69
yahoo 2 step email authentication 2 28
Developers / Staff Setup 10 40
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question