sunhux
asked on
AD, DNS, email setup of an organization in 2 countries where staff travel frequently between them
Our HQ (domain is orgname.com) often have staff travelling to our country (different domain,
say org2name.com.au) as well as staff from our country often go there & we have separate AD,
DNS & MS Exchange servers. In fact we are neighbouring countries.
We have a dedicated leased line between the HQ & us but with firewalls doing NAT in between.
Q1:
Will need to grant staff access to their mailboxes seamlessly without compromising
security. What are the trusts to permit between our HQ & us? We are regulated differently
by different financial regulators so credit card & our customers information can't be shared.
Q2:
We will maintain email Exchange servers and email filtering security tool (Proofpoint) separately.
Thing is staff who are seconded to be based here from HQ may go back once every 6-monthly
(for say a period of 3 weeks before returning): likely the staff seconded here will continue to
use HQ's mailbox but their laptops will login to our local country's AD/domain: any trust to
be permitted here & what are the best practices? Usually staff seconded here (or vice-versa)
for 1-3 years will go back to HQ once their term here expires
Q3:
We are also implementing email encryption (Voltage) & our HQ will implement it later (maybe
6-10 months later) : so need to consider this aspect as well. Staff based here will use email
encryption of HQ & likewise staff from our country going there will use email encryption here.
Q4:
The staff that travel between the countries need to access Intranet
services such a "meeting rooms booking", eLeave, "staff directory in each country",
Sharepoints & shared drives) which currently they are unable to.
But staff must not be able to access credit card systems & other critical services
(eg: Payment systems) in the country they don't belong to.
I'm not Wintel-trained so the following are just too much for me to extract &
assess which of it are relevant :
https://www.techrepublic.com/forums/discussions/merging-two-networks-into-one-guidance-required-for-non-techy/
https://technet.microsoft.com/en-us/library/cc783351(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc773048(v=ws.10).aspx
I was asked whether to adopt Forest-wide authentication vs selective authentication between
HQ's AD & ours ??
Q5:
As HQ is a much bigger country with multiple states, they have >30 AD (Domain Controllers) servers.
My Wintel colleague says Tcp 135, 445, 389 has to be permitted by firewall : aren't these Wannacry risks?
Also, Tcp 636, 3268, 3269, 53 (tcp+udp), 88, 137 needed.
For Exchange, tcp 389, 379, 390, 3268, 636, 3269, 143, 993, 110 needed between the Exchange servers:
any risk with these?
say org2name.com.au) as well as staff from our country often go there & we have separate AD,
DNS & MS Exchange servers. In fact we are neighbouring countries.
We have a dedicated leased line between the HQ & us but with firewalls doing NAT in between.
Q1:
Will need to grant staff access to their mailboxes seamlessly without compromising
security. What are the trusts to permit between our HQ & us? We are regulated differently
by different financial regulators so credit card & our customers information can't be shared.
Q2:
We will maintain email Exchange servers and email filtering security tool (Proofpoint) separately.
Thing is staff who are seconded to be based here from HQ may go back once every 6-monthly
(for say a period of 3 weeks before returning): likely the staff seconded here will continue to
use HQ's mailbox but their laptops will login to our local country's AD/domain: any trust to
be permitted here & what are the best practices? Usually staff seconded here (or vice-versa)
for 1-3 years will go back to HQ once their term here expires
Q3:
We are also implementing email encryption (Voltage) & our HQ will implement it later (maybe
6-10 months later) : so need to consider this aspect as well. Staff based here will use email
encryption of HQ & likewise staff from our country going there will use email encryption here.
Q4:
The staff that travel between the countries need to access Intranet
services such a "meeting rooms booking", eLeave, "staff directory in each country",
Sharepoints & shared drives) which currently they are unable to.
But staff must not be able to access credit card systems & other critical services
(eg: Payment systems) in the country they don't belong to.
I'm not Wintel-trained so the following are just too much for me to extract &
assess which of it are relevant :
https://www.techrepublic.com/forums/discussions/merging-two-networks-into-one-guidance-required-for-non-techy/
https://technet.microsoft.com/en-us/library/cc783351(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc773048(v=ws.10).aspx
I was asked whether to adopt Forest-wide authentication vs selective authentication between
HQ's AD & ours ??
Q5:
As HQ is a much bigger country with multiple states, they have >30 AD (Domain Controllers) servers.
My Wintel colleague says Tcp 135, 445, 389 has to be permitted by firewall : aren't these Wannacry risks?
Also, Tcp 636, 3268, 3269, 53 (tcp+udp), 88, 137 needed.
For Exchange, tcp 389, 379, 390, 3268, 636, 3269, 143, 993, 110 needed between the Exchange servers:
any risk with these?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.