I've been tasked with bringing our company onto a single sign on platform. In doing this though, I've come across some security issues with our web server.
I have a web server running Sharepoint and an FTP service. I need to authenticate users against our internal domain (corporate.ourdomain.com) on our external domain (ourdomain.com).
We have a Cisco router on site at our colocation which connects the public IP of our web server to two domain controllers internally over IPSec VPN. The external domain trusts our internal domain but not the reverse as was suggested elsewhere online rather than have a DC on our public segment.
This works for us right now but I have two concerns. Is this the best method and what ports do I need to limit the VPN to in order to best protect our two internal servers?