Solved

How to use LDAP authentication on a FTP server (DMZ) - setup and lay out question?

Posted on 2010-08-28
6
1,529 Views
Last Modified: 2013-12-09

Hi,

I was wondering if someone could give some advise about the following.

We currently have an FTP server which does not belong to our network and is being access with local accounts.

Because business needs the FTP server has to be accessed now via the AD. In order to do that we wanted to place it on the DMZ behind our firewall and use an FTP product that will allow us to secure it (SFTP) and that is AD aware.

We are trying to understand how do we need to perform the lay out so that the AD is not exposed to internet and the users can authenticate from the internet to the FTP with their AD accounts.

I was wondering if someone could give some advise about different ways to set this up securely with a secure FTP product.

Does anyone has performed something similiar to this setup and could provide some advise?

Any suggestions about products that we could use in order to perform the setup will be also welcome (either Windows FTP or 3rd party apps)

Thank you
0
Comment
Question by:llarava
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33551502
Cerberus FTP server supports LDAP authentication: http://www.cerberusftp.com/help/ldap_authentication.html
0
 

Author Comment

by:llarava
ID: 33553580
Thank you. I was already looking at this product since WS_FTP (LDAP aware version) is far away from out budget.

Do you have any suggestion on how should be go with the lay out of FTP server (DMZ, firewall, ports to be opened) and the security that we need to configured in order to allow the authentication to happen with the DCs?
0
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33553854
FTP uses two ports during transmission.  Port 21 is the normal connection port and then a random port in a range configured by the FTP server is used.  For instance, you could use range 5000 - 6000 for your data ports.  Traditionally, connected users use port 21 and a unique port in the range specified.  So user 1 would have 21 and 5001 and user 2 would have 21 and 5002.

From the public side, only port 21 and your data port range needs to be open in the firewall.  Internally, the FTP server needs to have access to the LDAP server via port 389 (unless you have customized this).

Here is another FTP server software that might work better.  The edition that allows LDAP and Active Directory authentication is less than $200: http://www.xlightftpd.com/tutorial/ldap_eDirectory.html   http://www.xlightftpd.com/purchase.htm
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 1

Expert Comment

by:scameron447
ID: 33554975
The GC is where servers will look to authenticate users.  You will need this to authenticate properly, and make sure you don't have this on a server with the Infrastructure Master Role.  If you do, that copy of AD will not replicate.
 
0
 

Author Comment

by:llarava
ID: 33657072
chapmanjw,

FTP is not be an option since it will no be secure enough. I am planning to go with an SFTP (SSH FTP) the default port is 22.  There are no data ports with SFTP which is one of the reasons it is more firewall friendly than FTP.  Command and data information is all sent over the same connection.

From the public side, only port 22 needs to be open in the firewall no data ports will be needed and the users will be able to access and get the data over this port.  Internally, the SFTP server needs to have access to the DC servers via port 389.

Does that make sense?


0
 
LVL 21

Accepted Solution

by:
chapmanjw earned 500 total points
ID: 33658216
Yes, that is correct.
1

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question