Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 881
  • Last Modified:

One Way Forest Trust To Web Server

I've been tasked with bringing our company onto a single sign on platform. In doing this though, I've come across some security issues with our web server.

I have a web server running Sharepoint and an FTP service. I need to authenticate users against our internal domain (corporate.ourdomain.com) on our external domain (ourdomain.com).

We have a Cisco router on site at our colocation which connects the public IP of our web server to two domain controllers internally over IPSec VPN. The external domain trusts our internal domain but not the reverse as was suggested elsewhere online rather than have a DC on our public segment.

This works for us right now but I have two concerns. Is this the best method and what ports do I need to limit the VPN to in order to best protect our two internal servers?

Both servers run MS Server Standard 2008 R2
1 Solution
Adam BrownSr Solutions ArchitectCommented:
You should be able to work it that way, but you're going to have a lot of open ports in both directions with that setup. One thing you could do is deploy a Read Only DC in your public network for communication with the internal domain. If you do that you don't have to have any ports open going into your network, just ports going from the internal network to public for AD replication to the RODC. It's a little more secure than having a full trust going, since you do have to open some ports for the trust to communicate. For the trust to communicate, you have to have ports 389 (LDAP, if you use LDAPS you can use 663 instead), 445 for SMB, 88 for Kerberos, and 135 for netlogon. That has to be open both ways, regardless of the trust configuration.

Another solution that *may* be applicable is AD Federation Services. It won't solve the problem with FTP, but you can configure Sharepoint to use claims based authentication and it can talk with an ADFS server for authentication of users. This doesn't require an AD Level trust to be in place and allows you to have SSO with just port 443 open between locations. ADFS is surprisingly complex, and I can't really give a full explanation of it here, but dig around on technet for ADFS 2.0 and you should get some good info.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now