ftenkley
asked on
Windows LDAP server for DMZ and external server - how to do this securely?
We have several sites in our DMZ and an external that I would like to authenticate to our AD. I'm considering to use a read-only domaincontroller for this. My question is:
Would the following scenario be a safe and sound setup, or is it better to do this otherwise? By using, for example, Active Directory Federation Services?
My current idea is to publish a RO-DC, located in the LAN, to both the DMZ and the external host with TMG. Of course, encryption would be used for communication between all systems.
Would the following scenario be a safe and sound setup, or is it better to do this otherwise? By using, for example, Active Directory Federation Services?
My current idea is to publish a RO-DC, located in the LAN, to both the DMZ and the external host with TMG. Of course, encryption would be used for communication between all systems.
Yes you can do it as long as it secure example http://www.techrepublic.com/article/solutionbase-deploying-domain-controllers-in-a-dmz/5238083 and http://technet.microsoft.com/en-us/library/bb727063.aspx
ASKER
Thanks for the reply araberuni, however, these articles describe how you can create and connect a DC in the DMZ itself while my idea only lets clients connect to a DC in the LAN (thus you'll only have to open 389 TCP and UDP).
If I would place a DC in the DMZ I would need to open the following ports:
Kerberos—TCP 88, UDP 88
DNS—TCP 53, UDP 53
LDAP—TCP 389, UDP 389
LDAP over SSL—TCP 636
SMB over IP—TCP 445, UDP 445
This seems less secure to me? In this case, the DMZ almost becomes a part of the LAN (imho).
thanks.
If I would place a DC in the DMZ I would need to open the following ports:
Kerberos—TCP 88, UDP 88
DNS—TCP 53, UDP 53
LDAP—TCP 389, UDP 389
LDAP over SSL—TCP 636
SMB over IP—TCP 445, UDP 445
This seems less secure to me? In this case, the DMZ almost becomes a part of the LAN (imho).
thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I reckon this technet article will provide you more information and detailed configuration of RODC in DMZ http://technet.microsoft.com/en-us/library/dd728028(WS.10).aspx
ASKER
I'm surprised that you're actually placing RO DC's in the DMZ because a compromised computer there could use the open ports to the LAN DC, but it seems that this construction is not uncommon.
I still think that the LAN based RO-DC as a safer alternative, but I'll do some more research. Thanks.
I still think that the LAN based RO-DC as a safer alternative, but I'll do some more research. Thanks.
ASKER
I'd like to have a link to a MS document about DC-RO placement considerations as well.
I used this document to decide on RODC in DMZ vs a forest trust. I needed DC capability for machines in DMZ, which isn't your needs, so you have different options. I would say that a compromized RODC in a DMZ is less of an issue than a compromized RODC in your LAN. What is in your DMZ would determine whether or not a RODC in the DMZ is likely to be compromized to begin with.
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx