Solved

How to use LDAP authentication on a FTP server (DMZ) - setup and lay out question?

Posted on 2010-08-28
6
1,473 Views
Last Modified: 2013-12-09

Hi,

I was wondering if someone could give some advise about the following.

We currently have an FTP server which does not belong to our network and is being access with local accounts.

Because business needs the FTP server has to be accessed now via the AD. In order to do that we wanted to place it on the DMZ behind our firewall and use an FTP product that will allow us to secure it (SFTP) and that is AD aware.

We are trying to understand how do we need to perform the lay out so that the AD is not exposed to internet and the users can authenticate from the internet to the FTP with their AD accounts.

I was wondering if someone could give some advise about different ways to set this up securely with a secure FTP product.

Does anyone has performed something similiar to this setup and could provide some advise?

Any suggestions about products that we could use in order to perform the setup will be also welcome (either Windows FTP or 3rd party apps)

Thank you
0
Comment
Question by:llarava
  • 3
  • 2
6 Comments
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33551502
Cerberus FTP server supports LDAP authentication: http://www.cerberusftp.com/help/ldap_authentication.html
0
 

Author Comment

by:llarava
ID: 33553580
Thank you. I was already looking at this product since WS_FTP (LDAP aware version) is far away from out budget.

Do you have any suggestion on how should be go with the lay out of FTP server (DMZ, firewall, ports to be opened) and the security that we need to configured in order to allow the authentication to happen with the DCs?
0
 
LVL 21

Expert Comment

by:chapmanjw
ID: 33553854
FTP uses two ports during transmission.  Port 21 is the normal connection port and then a random port in a range configured by the FTP server is used.  For instance, you could use range 5000 - 6000 for your data ports.  Traditionally, connected users use port 21 and a unique port in the range specified.  So user 1 would have 21 and 5001 and user 2 would have 21 and 5002.

From the public side, only port 21 and your data port range needs to be open in the firewall.  Internally, the FTP server needs to have access to the LDAP server via port 389 (unless you have customized this).

Here is another FTP server software that might work better.  The edition that allows LDAP and Active Directory authentication is less than $200: http://www.xlightftpd.com/tutorial/ldap_eDirectory.html   http://www.xlightftpd.com/purchase.htm
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Expert Comment

by:scameron447
ID: 33554975
The GC is where servers will look to authenticate users.  You will need this to authenticate properly, and make sure you don't have this on a server with the Infrastructure Master Role.  If you do, that copy of AD will not replicate.
 
0
 

Author Comment

by:llarava
ID: 33657072
chapmanjw,

FTP is not be an option since it will no be secure enough. I am planning to go with an SFTP (SSH FTP) the default port is 22.  There are no data ports with SFTP which is one of the reasons it is more firewall friendly than FTP.  Command and data information is all sent over the same connection.

From the public side, only port 22 needs to be open in the firewall no data ports will be needed and the users will be able to access and get the data over this port.  Internally, the SFTP server needs to have access to the DC servers via port 389.

Does that make sense?


0
 
LVL 21

Accepted Solution

by:
chapmanjw earned 500 total points
ID: 33658216
Yes, that is correct.
1

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
opensource email gateway 9 65
Creating a Vendor Admin user 23 50
Impact of disabling SMB v1 on Mac and Linux clients 4 333
Lightweight Networking 9 33
Ensuring effective and secure communication in the age of healthcare BYOD.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question