• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1733
  • Last Modified:

How to use LDAP authentication on a FTP server (DMZ) - setup and lay out question?


Hi,

I was wondering if someone could give some advise about the following.

We currently have an FTP server which does not belong to our network and is being access with local accounts.

Because business needs the FTP server has to be accessed now via the AD. In order to do that we wanted to place it on the DMZ behind our firewall and use an FTP product that will allow us to secure it (SFTP) and that is AD aware.

We are trying to understand how do we need to perform the lay out so that the AD is not exposed to internet and the users can authenticate from the internet to the FTP with their AD accounts.

I was wondering if someone could give some advise about different ways to set this up securely with a secure FTP product.

Does anyone has performed something similiar to this setup and could provide some advise?

Any suggestions about products that we could use in order to perform the setup will be also welcome (either Windows FTP or 3rd party apps)

Thank you
0
llarava
Asked:
llarava
  • 3
  • 2
1 Solution
 
chapmanjwCommented:
Cerberus FTP server supports LDAP authentication: http://www.cerberusftp.com/help/ldap_authentication.html
0
 
llaravaAuthor Commented:
Thank you. I was already looking at this product since WS_FTP (LDAP aware version) is far away from out budget.

Do you have any suggestion on how should be go with the lay out of FTP server (DMZ, firewall, ports to be opened) and the security that we need to configured in order to allow the authentication to happen with the DCs?
0
 
chapmanjwCommented:
FTP uses two ports during transmission.  Port 21 is the normal connection port and then a random port in a range configured by the FTP server is used.  For instance, you could use range 5000 - 6000 for your data ports.  Traditionally, connected users use port 21 and a unique port in the range specified.  So user 1 would have 21 and 5001 and user 2 would have 21 and 5002.

From the public side, only port 21 and your data port range needs to be open in the firewall.  Internally, the FTP server needs to have access to the LDAP server via port 389 (unless you have customized this).

Here is another FTP server software that might work better.  The edition that allows LDAP and Active Directory authentication is less than $200: http://www.xlightftpd.com/tutorial/ldap_eDirectory.html   http://www.xlightftpd.com/purchase.htm
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
scameron447Commented:
The GC is where servers will look to authenticate users.  You will need this to authenticate properly, and make sure you don't have this on a server with the Infrastructure Master Role.  If you do, that copy of AD will not replicate.
 
0
 
llaravaAuthor Commented:
chapmanjw,

FTP is not be an option since it will no be secure enough. I am planning to go with an SFTP (SSH FTP) the default port is 22.  There are no data ports with SFTP which is one of the reasons it is more firewall friendly than FTP.  Command and data information is all sent over the same connection.

From the public side, only port 22 needs to be open in the firewall no data ports will be needed and the users will be able to access and get the data over this port.  Internally, the SFTP server needs to have access to the DC servers via port 389.

Does that make sense?


0
 
chapmanjwCommented:
Yes, that is correct.
1

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now