authentication for DMZ servers

Hi,

Could you please explain me the best secured way of authentication for DMZ servers?

I have a application server hosted in DMZ and need to authenticate domain users for the web site installed on that server.

No internet users will be allowed - only domain users will be accessed
Server no need to talk any backend server( resource and IIS will be on the same server)
No ADFS or LDAP is allowed
Access for domain users must only be allowed to this box in DMZ not any other servers in DMZ

I was thinking to add one more NIC to server ( in this case only this network card will have root connection to domain as it will be on the domain segment?
kuzumAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sammySeltzerCommented:
I am not sure how this is possible unless you open up a firewall.
0
kuzumAuthor Commented:
surely there will be some ports on... questions is what ports are we referring with suggested method?
0
Harper McDonaldCommented:
What we do is make a DHCP reservation for our PC's and add firewall rules to allow traffic through the DMZ per our reserved IP's since the IP's are static.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

sammySeltzerCommented:
Your network admin will have to answer that, I am afraid.

Another option is to open the port db, then turn off the firewall.

Then, you use SQL Server configuration manager to enable TCP/IP address.

This way, you can create domain group on the db and authenticate users from there.

That's another way we handle apps on DMZ server but with the DB inside the firewall.
0
kuzumAuthor Commented:
thanks for the input guys.

@Harper McDonald@ don't think static IPs are good idea as it may be used for ipads, tablet and laptops. site is not only for laptops or PCs.

@SammySelzer-  There is no backend sql needed. resource and IIS will be on the same server. my only concern is the best way of authenticating users to a server in DMZ. site will not be accessible from out site.

there must be a way of authenticating users with another method. VPN ? additional NIC on the server?
0
Md. MojahidCommented:
SQL server authentication is good way to do this.
0
kuzumAuthor Commented:
can you please be more specific about sql? why do I need sql?
0
sammySeltzerCommented:
But you said no sql backend is needed.

If you are just looking for a way to get users to access server in dmz, then firewall is the way to go and then  perhaps, remote desktop.

You use vpn to access your network inside your firewall from outside.
0
kuzumAuthor Commented:
yes, I don't need SQL this why I wondered why I was suggested to use Sql.

I don't need access to site from outsite, So if mean VPN from internal domain to DMZ ?

if that is the case I assume VPN can already be configured to authenticate users in the domain?
0
sammySeltzerCommented:
We have several servers in DMZ and we access those servers from work using remote desktop connection.

This means that firewall, secure and dedicated to those servers are open.

Then all you would need to do is fire up remote desktop and enter:

servername\username and then password.

You can access remote desktop using the icon or command line.

That's how we do it here.
0
kuzumAuthor Commented:
thanks SammySeltzer, but this is just normal DMZ solution that we also have in place

in our DMZ environment we don't allow RDP to every server and also in my current task RDP is not a solution as I will be allowing only http site access to a IIS server ( resources are also on this server) without opening LDAP or ADFS. Question is what other option I have to allow authentication with firewall of course being in the game. VPN I though would have been a good idea I though so is VPN users be authenticated as normal users in the domain?
0
compdigit44Commented:
Have you looked into using ADFS???
0
kuzumAuthor Commented:
ADFS is not an option for us..
0
kuzumAuthor Commented:
I've requested that this question be deleted for the following reason:

did not have the accurate answer, question resolved by myself
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kuzumAuthor Commented:
did not have the accurate answer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.