Solved

Setting up a server in a DMZ, AD authentication?

Posted on 2014-03-19
4
549 Views
Last Modified: 2014-05-06
Hello there,

I am pondering a design question.  I want to set up an FTP server in my DMZ.  In the past, I would throw up a server and put FTP on it, and setup local users or users to the FTP service and let that all work like that.

One of the requirements this time around is to have Active Directory authentication.  This is where I start to wonder.

In some configurations, I would just NAT an address thru the firewall, ports 20 and 21, to the actual server, and then leave it on the production network, connected as a server in AD.  I know that opens up some vulnerabilities, but it does solve my authentication problem.

So, if I put it in the DMZ, what do I need to have open for that server to be active in Active Directory?  Is this a good design decision?

TIA

Tom
0
Comment
Question by:thafemann
  • 2
4 Comments
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 39939360
Just create an ACL and only allow the ports required for AD to your DC.


http://technet.microsoft.com/en-us/library/dd772723(ws.10).aspx
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939366
0
 

Author Comment

by:thafemann
ID: 39939687
Okay, got it, it is possible.

Now riddle me this, is it worth it?  Now, before you respond with the what I say to my end users, "It depends", I know that.  :)

This server is to be an FTP server.  I am leaning toward using either Serv-u or CrushFTP.  While the server does not necessarily need to be a part of Active Directory, user authentication to the FTP server must use Active directory.   There has even been talk of using RSA tokens for authentication.

Both of these FTP servers do LDAP authentication from Active Directory, which is really the driving force.  I am thinking that maybe I should just leave the server in Workgroup mode, and set LDAP authentication thru the firewall.

I guess I am looking for best practice with putting a server in the DMZ.
0
 
LVL 11

Accepted Solution

by:
itguy565 earned 100 total points
ID: 39939712
I am thinking that maybe I should just leave the server in Workgroup mode, and set LDAP authentication thru the firewall.

This would be your best option because it makes it more difficult for someone to hack the server/network and minimize risk if the local account that is logged on doesn't have privileges to other network resources.

I would personally use serv-u because solarwinds has been around for a very long time and it is a company I trust.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
NEXUS3524 - SFP validation failed 3 57
Cisco Supervisor upgrade to 2T 3 65
Advise on connecting 3 switches via fibre 4 46
Cisco ASA 5512-X Active/Standby HA 4 6
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question