Adding DMZ Servers to internal domain

Posted on 2011-02-17
Last Modified: 2013-12-23

Quirky question - currently we have our internal domain, a DMZ in its own workgroup, and a
router/firewall connecting the two.  We have ACLs limiting the connectivity between the two,
and I was wondering if that because of those ACLs, if I'd be OK to add our servers in our DMZ
to our internal domain.  I.E., we'd open up traffic on port 389 (LDAP) and port 53 (DNS) and leave
the rest blocked.  Would that cause an absurd lack of security?

Question by:mhentrich
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Accepted Solution

mansmanf earned 125 total points
ID: 34920475
No, to get it work properly you need some more:
See here:

Check the tables and decide what services / ports you need.
Then define these on the firewall with the correct source and target IPs
e.g. port 88, 636,3268,3269 (for replication)

My experience is that also port 135, 137,138,139 are necessary because clients try to open authentication sessions etc. via NetBIOS also (first)
Be sure that also DNS (port 53) is working!

Expert Comment

ID: 34920546
It is not a security hole from my perspective if you have clear rules (source-IP, port  => target IP,port)
I would propose to do some monitoring and also spot check on eventlogs, auditing logs....
If this is a *managed* environment, why not.
I assume in this case that the servers in the DMZ (that are accessable from the Internet) are hardened and also monitored?


Author Comment

ID: 34923732
Thanks mansmanf, spot me figure out what you mean by hardened and monitored, though.  We have a monitoring program in place that keeps tabs on disk space, RAM usage, etc. and lets us know if a server goes down.  We also have an IPS on the aforementioned firewall.  What else would you consider neccessary?


Author Closing Comment

ID: 34923737

Expert Comment

ID: 34923835
A good point to start is Technet, e.g.
Be sure to document what you are doing, then you will be able to revert steps if something is not working any more

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question