We currently have a DMZ environment that was set up a long time ago, but we have been asked to make some changes to it so that it is more secure. Here is what we have:
In the LAN:
- A Windows 2003 DC and Windows 2008 DC
- The domain is corporate.local
In the DMZ:
- A Windows 2008 DC
- The domain is dmz.local
- A Juniper firewall is configured between the LAN and DMZ
The current DMZ is not configured properly because some of the servers hosted in the DMZ are joined to the corporate.local domain. We were asked to create a new DC and domain in the DMZ (dmz.local) so that servers in the DMZ would authenticate against the DMZ DC, not the LAN DC. Creating the DMZ DC and joining servers to the DMZ Domain is not a problem, but allowing users to connect to the DMZ using their corporate.local account is the problem. Originally, we were told that users could have a dmz.local domain account and that's what they would use to connect to servers in the DMZ, but it is not practical because we have a lot of applications that are configured to use the corporate.local domain to authenticate. Changing this would be too hard. So the other option we were given was to create a SSL trust between the dmz.local domain and the corporate.local domain, which would allow users/applications to continue using their corporate.local domain credentials and be able to access the DMZ servers. We believe this includes creating a certificate authority on both the LAN DC and the DMZ DC, which would create a secure trust between the domains. I am not very familiar with this so I'd like to get some help/tutorials on exactly how to do this.
Please ask any questions you may have to help me with this.