Adding DMZ Servers to internal domain

Posted on 2011-02-17
Medium Priority
Last Modified: 2013-12-23

Quirky question - currently we have our internal domain, a DMZ in its own workgroup, and a
router/firewall connecting the two.  We have ACLs limiting the connectivity between the two,
and I was wondering if that because of those ACLs, if I'd be OK to add our servers in our DMZ
to our internal domain.  I.E., we'd open up traffic on port 389 (LDAP) and port 53 (DNS) and leave
the rest blocked.  Would that cause an absurd lack of security?

Question by:mhentrich
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Accepted Solution

Fridolin Mansmann earned 500 total points
ID: 34920475
No, to get it work properly you need some more:
See here:

Check the tables and decide what services / ports you need.
Then define these on the firewall with the correct source and target IPs
e.g. port 88, 636,3268,3269 (for replication)


My experience is that also port 135, 137,138,139 are necessary because clients try to open authentication sessions etc. via NetBIOS also (first)
Be sure that also DNS (port 53) is working!

Expert Comment

by:Fridolin Mansmann
ID: 34920546
It is not a security hole from my perspective if you have clear rules (source-IP, port  => target IP,port)
I would propose to do some monitoring and also spot check on eventlogs, auditing logs....
If this is a *managed* environment, why not.
I assume in this case that the servers in the DMZ (that are accessable from the Internet) are hardened and also monitored?


Author Comment

ID: 34923732
Thanks mansmanf, spot on...help me figure out what you mean by hardened and monitored, though.  We have a monitoring program in place that keeps tabs on disk space, RAM usage, etc. and lets us know if a server goes down.  We also have an IPS on the aforementioned firewall.  What else would you consider neccessary?


Author Closing Comment

ID: 34923737

Expert Comment

by:Fridolin Mansmann
ID: 34923835
A good point to start is Technet, e.g.
Be sure to document what you are doing, then you will be able to revert steps if something is not working any more

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question