[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ASP pgm moved to new server no longer works - ???

Posted on 2011-10-12
10
Medium Priority
?
252 Views
Last Modified: 2012-05-12
We recently needed a set of pgms moved to a web server that resides outside of our Corporate firewall.  We needed to make it accessible to both employees AND the general public.
For employees - the pgm uses ASP code to prompt for a valid Login ID/Password combination, which it had been validating against Active Directory.
Now that the pgm is outside the firewall, that validation is not working.
What must we do in order to get this to work?
Hope I'm making sense.
0
Comment
Question by:OGSan
  • 5
  • 5
10 Comments
 
LVL 60

Expert Comment

by:Kevin Cross
ID: 36963990
One fix is to dual home the Active Directory domain controller; however, that presents its new set of challenges not to mention security risks of exposing the entire system to the Internet. You can look at the reverse making sure that routing cannot happen between the interfaces by dual homing (i.e., adding a second NIC) to the Web server.

The most secure though is to create a specific rule to allow the Web server to communicate to AD via a connection to the internal network. http://msmvps.com/blogs/rexiology/archive/2006/04/05/89389.aspx

I believe you want UDP port 88 as IIS uses Kerberos for the Windows Logon authentication if I am not mistaken. I am trying to find the definitive answer as mine works, but I have always had a need for some of the other ports also. My rule for example has Kerberos, NetBios, LDAP, AD Login (1025), and MS-RPC currently allowed.
0
 
LVL 60

Expert Comment

by:Kevin Cross
ID: 36964030
And quite honestly, you may be better served to have you Web server internally and NAT out to the Internet. You can frontend it with Microsoft's ISA or newer product.
0
 
LVL 1

Author Comment

by:OGSan
ID: 36964988
Thank you, mwvisa1, for providing me with two solid options.  I do not have access to this server, so I'm not really sure whether it is already NAT'ing outside.  Let me find out more info so I can add it to this question to focus the responses better.  I'll return.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 60

Expert Comment

by:Kevin Cross
ID: 36965148
No worries. Let me know how it goes.
0
 
LVL 1

Author Comment

by:OGSan
ID: 36965242
Here is the reply I just received from one of our network admins familiar with this server:
Hss024 is in the dmz, so it can not talk to the domain controlers. The best you can do is ask IT Security if they will approve an LDAP query from the dmz server to AD. AD support requires too many open ports.
0
 
LVL 1

Author Comment

by:OGSan
ID: 36965301
When he says, "an LDAP query from the DMZ server to AD" - what's he mean?
0
 
LVL 1

Author Comment

by:OGSan
ID: 36965617
Just found this question - I think this will help me.
0
 
LVL 60

Accepted Solution

by:
Kevin Cross earned 2000 total points
ID: 36965886
POrt 389 or 636 (I believe that is the Secure LDAP port). Like I said, I would ask to test it as you may be able to get away with just the Kerberos or MS-RPC port since IIS is doing the call and not application code. I have a feeling it is one of those Windows communication ports and not a true LDAP call.
0
 
LVL 60

Expert Comment

by:Kevin Cross
ID: 36965894
If you have the option to remove the IIS security (at least I made that assumption that you were referring to IIS Windows Authentication/Digest option) and use a form-based authentication, then you can have ASP make an LDAP call if your network department is willing to open that port only. It would be TCP 389 or 636 as said earlier and not any of the others.
0
 
LVL 1

Author Comment

by:OGSan
ID: 36966022
Thanks for the insight, mwvisa1.  I'll include this info in my request to our Security team.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question