OGSan
asked on
ASP pgm moved to new server no longer works - ???
We recently needed a set of pgms moved to a web server that resides outside of our Corporate firewall. We needed to make it accessible to both employees AND the general public.
For employees - the pgm uses ASP code to prompt for a valid Login ID/Password combination, which it had been validating against Active Directory.
Now that the pgm is outside the firewall, that validation is not working.
What must we do in order to get this to work?
Hope I'm making sense.
For employees - the pgm uses ASP code to prompt for a valid Login ID/Password combination, which it had been validating against Active Directory.
Now that the pgm is outside the firewall, that validation is not working.
What must we do in order to get this to work?
Hope I'm making sense.
And quite honestly, you may be better served to have you Web server internally and NAT out to the Internet. You can frontend it with Microsoft's ISA or newer product.
ASKER
Thank you, mwvisa1, for providing me with two solid options. I do not have access to this server, so I'm not really sure whether it is already NAT'ing outside. Let me find out more info so I can add it to this question to focus the responses better. I'll return.
No worries. Let me know how it goes.
ASKER
Here is the reply I just received from one of our network admins familiar with this server:
Hss024 is in the dmz, so it can not talk to the domain controlers. The best you can do is ask IT Security if they will approve an LDAP query from the dmz server to AD. AD support requires too many open ports.
ASKER
When he says, "an LDAP query from the DMZ server to AD" - what's he mean?
ASKER
Just found this question - I think this will help me.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you have the option to remove the IIS security (at least I made that assumption that you were referring to IIS Windows Authentication/Digest option) and use a form-based authentication, then you can have ASP make an LDAP call if your network department is willing to open that port only. It would be TCP 389 or 636 as said earlier and not any of the others.
ASKER
Thanks for the insight, mwvisa1. I'll include this info in my request to our Security team.
The most secure though is to create a specific rule to allow the Web server to communicate to AD via a connection to the internal network. http://msmvps.com/blogs/rexiology/archive/2006/04/05/89389.aspx
I believe you want UDP port 88 as IIS uses Kerberos for the Windows Logon authentication if I am not mistaken. I am trying to find the definitive answer as mine works, but I have always had a need for some of the other ports also. My rule for example has Kerberos, NetBios, LDAP, AD Login (1025), and MS-RPC currently allowed.