One Way Forest Trust To Web Server

Posted on 2011-04-27
Last Modified: 2012-05-11
I've been tasked with bringing our company onto a single sign on platform. In doing this though, I've come across some security issues with our web server.

I have a web server running Sharepoint and an FTP service. I need to authenticate users against our internal domain ( on our external domain (

We have a Cisco router on site at our colocation which connects the public IP of our web server to two domain controllers internally over IPSec VPN. The external domain trusts our internal domain but not the reverse as was suggested elsewhere online rather than have a DC on our public segment.

This works for us right now but I have two concerns. Is this the best method and what ports do I need to limit the VPN to in order to best protect our two internal servers?

Both servers run MS Server Standard 2008 R2
Question by:_valkyrie_
    1 Comment
    LVL 37

    Accepted Solution

    You should be able to work it that way, but you're going to have a lot of open ports in both directions with that setup. One thing you could do is deploy a Read Only DC in your public network for communication with the internal domain. If you do that you don't have to have any ports open going into your network, just ports going from the internal network to public for AD replication to the RODC. It's a little more secure than having a full trust going, since you do have to open some ports for the trust to communicate. For the trust to communicate, you have to have ports 389 (LDAP, if you use LDAPS you can use 663 instead), 445 for SMB, 88 for Kerberos, and 135 for netlogon. That has to be open both ways, regardless of the trust configuration.

    Another solution that *may* be applicable is AD Federation Services. It won't solve the problem with FTP, but you can configure Sharepoint to use claims based authentication and it can talk with an ADFS server for authentication of users. This doesn't require an AD Level trust to be in place and allows you to have SSO with just port 443 open between locations. ADFS is surprisingly complex, and I can't really give a full explanation of it here, but dig around on technet for ADFS 2.0 and you should get some good info.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now