Yes, in fact I have implemented this
(under Windows 2000). From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Using certificates to allow IPSec
between clients/member servers and DCs sounds good. Has anyone
actually done this? I'd be interested, as I'm surprised the KB article
didn't mention this as an alternative. I've also heard (more than once)
some statements from MS people to the effect that "IPSec between member
servers and DCs is not supported". Tony From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf That was the way that I understood that paragraph as well. And to give a little more information about Aric's point on not being
able to monitor the traffic between the DMZ host and the DC's; that is why it
is important to have an Intrusion Detection/Intrusion Prevention system in
place. Even in a small shop this can save you a lot of headaches if properly
maintained and will let you monitor for malicious traffic on the DMZ host and
the DC's. It is a good way to mitigate many security admins concerns about
opening encrypted tunnels through the firewalls. Phil On 9/7/05, Bernard,
Aric <[EMAIL PROTECTED]>
wrote: The quote relates to when you are using Kerberos as the
method to setup the secure connection (ISAKMP). If you use certificated
then IPSec can be used end-to-end between clients/member servers and DCs. Aric From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tony Murray Hi Phil Here's the text I was referring to: Currently, we do not support using IPSec to encrypt network
traffic from a domain member server to a domain controller when you apply the
IPSec policies by using Group Policy or when you use the Kerberos
authentication method. The goal with IPSec is to encrypt the traffic between the two
sides and with the scenario described below you would need Kerberos
authentication. Or have I missed something? Tony From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Phil Renouf Did I
miss something in that article? I don't see where it says client > DC via
IPSec is not supported; just that you can't encrypt Kerberos traffic. Phil On
9/7/05, Tony Murray < [EMAIL PROTECTED]>
wrote: > If
you absolutely HAVE to then I would prefer to look at using IPSec for
communication between the Sharepoint box and your DC's IPSec would be good, but it isn't supported between member
servers and DCs. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949 Tony From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Phil Renouf To: ActiveDir@mail.activedir.org
I would look
at putting the Sharepoint server on the internal network and deploy an ISA
server in the DMZ and use Web Publishing or Server Publishing to get your
external clients access to the site. If you want to open access from the DMZ to
your AD If you
absolutely HAVE to then I would prefer to look at using IPSec for communication
between the Sharepoint box and your DC's. That leaves you only needing the
IPSec port open and not the very large number of ports to support AD
communication. Phil On
9/7/05, Jason B <
[EMAIL PROTECTED] > wrote: Because
this will be a sharepoint server for clients. Regardless, that This
e-mail message has been scanned for Viruses and Content and cleared by NetIQ
MailMarshal at Gen-i Limited This
e-mail message has been scanned for Viruses and Content and cleared by NetIQ
MailMarshal at Gen-i Limited This e-mail message has been scanned for Viruses and Content and
cleared by NetIQ MailMarshal at Gen-i Limited |
- Re: [ActiveDir] Which ports to open in th... Phil Renouf
- Re: [ActiveDir] Which ports to open ... Jason B
- RE: [ActiveDir] Which ports to o... Brian Desmond
- Re: [ActiveDir] Which ports to open in th... ASB
- RE: [ActiveDir] Which ports to open in the DMZ to communic... Tony Murray
- RE: [ActiveDir] Which ports to open in the DMZ to communic... Bernard, Aric
- RE: [ActiveDir] Which ports to open in the DMZ to com... Roger Seielstad
- RE: [ActiveDir] Which ports to open in the DMZ to communic... Bernard, Aric
- RE: [ActiveDir] Which ports to open in the DMZ to communic... Tony Murray
- RE: [ActiveDir] Which ports to open in the DMZ to communic... Bernard, Aric
- RE: [ActiveDir] Which ports to open in the DMZ to communic... Al Mulnick
- RE: [ActiveDir] Which ports to open in the DMZ to communic... Al Mulnick
- RE: [ActiveDir] Which ports to open in the DMZ to communic... Al Mulnick
- RE: [ActiveDir] Which ports to open in the DMZ to communic... Roger Seielstad
- RE: [ActiveDir] Which ports to open in the DMZ to communic... Bernard, Aric
- RE: [ActiveDir] Which ports to open in the DMZ to communic... Al Mulnick