authentication for DMZ servers

Hi,

Could you please explain me the best secured way of authentication for DMZ servers?

I have a application server hosted in DMZ and need to authenticate domain users for the web site installed on that server.

No internet users will be allowed - only domain users will be accessed
Server no need to talk any backend server( resource and IIS will be on the same server)
No ADFS or LDAP is allowed
Access for domain users must only be allowed to this box in DMZ not any other servers in DMZ

I was thinking to add one more NIC to server ( in this case only this network card will have root connection to domain as it will be on the domain segment?
kuzumAsked:
Who is Participating?
 
kuzumAuthor Commented:
I've requested that this question be deleted for the following reason:

did not have the accurate answer, question resolved by myself
0
 
sammySeltzerCommented:
I am not sure how this is possible unless you open up a firewall.
0
 
kuzumAuthor Commented:
surely there will be some ports on... questions is what ports are we referring with suggested method?
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Harper McDonaldCommented:
What we do is make a DHCP reservation for our PC's and add firewall rules to allow traffic through the DMZ per our reserved IP's since the IP's are static.
0
 
sammySeltzerCommented:
Your network admin will have to answer that, I am afraid.

Another option is to open the port db, then turn off the firewall.

Then, you use SQL Server configuration manager to enable TCP/IP address.

This way, you can create domain group on the db and authenticate users from there.

That's another way we handle apps on DMZ server but with the DB inside the firewall.
0
 
kuzumAuthor Commented:
thanks for the input guys.

@Harper McDonald@ don't think static IPs are good idea as it may be used for ipads, tablet and laptops. site is not only for laptops or PCs.

@SammySelzer-  There is no backend sql needed. resource and IIS will be on the same server. my only concern is the best way of authenticating users to a server in DMZ. site will not be accessible from out site.

there must be a way of authenticating users with another method. VPN ? additional NIC on the server?
0
 
Md. MojahidCommented:
SQL server authentication is good way to do this.
0
 
kuzumAuthor Commented:
can you please be more specific about sql? why do I need sql?
0
 
sammySeltzerCommented:
But you said no sql backend is needed.

If you are just looking for a way to get users to access server in dmz, then firewall is the way to go and then  perhaps, remote desktop.

You use vpn to access your network inside your firewall from outside.
0
 
kuzumAuthor Commented:
yes, I don't need SQL this why I wondered why I was suggested to use Sql.

I don't need access to site from outsite, So if mean VPN from internal domain to DMZ ?

if that is the case I assume VPN can already be configured to authenticate users in the domain?
0
 
sammySeltzerCommented:
We have several servers in DMZ and we access those servers from work using remote desktop connection.

This means that firewall, secure and dedicated to those servers are open.

Then all you would need to do is fire up remote desktop and enter:

servername\username and then password.

You can access remote desktop using the icon or command line.

That's how we do it here.
0
 
kuzumAuthor Commented:
thanks SammySeltzer, but this is just normal DMZ solution that we also have in place

in our DMZ environment we don't allow RDP to every server and also in my current task RDP is not a solution as I will be allowing only http site access to a IIS server ( resources are also on this server) without opening LDAP or ADFS. Question is what other option I have to allow authentication with firewall of course being in the game. VPN I though would have been a good idea I though so is VPN users be authenticated as normal users in the domain?
0
 
compdigit44Commented:
Have you looked into using ADFS???
0
 
kuzumAuthor Commented:
ADFS is not an option for us..
0
 
kuzumAuthor Commented:
did not have the accurate answer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.