RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...

[Bernard, Aric]

Yes, in fact I have implemented this (under Windows 2000).   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, September 07, 2005 7:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...   Using certificates to allow IPSec between clients/member servers and DCs sounds good.  Has anyone actually done this?  I'd be interested, as I'm surprised the KB article didn't mention this as an alternative.  I've also heard (more than once) some statements from MS people to the effect that "IPSec between member servers and DCs is not supported".   Tony   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Thursday, 8 September 2005 2:30 p.m. To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... That was the way that I understood that paragraph as well.   And to give a little more information about Aric's point on not being able to monitor the traffic between the DMZ host and the DC's; that is why it is important to have an Intrusion Detection/Intrusion Prevention system in place. Even in a small shop this can save you a lot of headaches if properly maintained and will let you monitor for malicious traffic on the DMZ host and the DC's. It is a good way to mitigate many security admins concerns about opening encrypted tunnels through the firewalls.   Phil   On 9/7/05, Bernard, Aric <[EMAIL PROTECTED]> wrote: The quote relates to when you are using Kerberos as the method to setup the secure connection (ISAKMP).  If you use certificated then IPSec can be used end-to-end between clients/member servers and DCs.   Aric   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tony Murray Sent: Wednesday, September 07, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...   Hi Phil   Here's the text I was referring to:   Currently, we do not support using IPSec to encrypt network traffic from a domain member server to a domain controller when you apply the IPSec policies by using Group Policy or when you use the Kerberos authentication method. The goal with IPSec is to encrypt the traffic between the two sides and with the scenario described below you would need Kerberos authentication.  Or have I missed something?   Tony   From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil Renouf Sent: Thursday, 8 September 2005 11:02 a.m. To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... Did I miss something in that article? I don't see where it says client > DC via IPSec is not supported; just that you can't encrypt Kerberos traffic.   Phil   On 9/7/05, Tony Murray < [EMAIL PROTECTED]> wrote: > If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's   IPSec would be good, but it isn't supported between member servers and DCs.   http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949   Tony   From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil Renouf Sent: Thursday, 8 September 2005 4:20 a.m. To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...   I would look at putting the Sharepoint server on the internal network and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to get your external clients access to the site. If you want to open access from the DMZ to your AD Forest your firewall will be swiss cheese from all the ports than need to be open.   If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's. That leaves you only needing the IPSec port open and not the very large number of ports to support AD communication.   http://support.microsoft.com/kb/q179442/   Phil   On 9/7/05, Jason B < [EMAIL PROTECTED] > wrote: Because this will be a sharepoint server for clients.  Regardless, that decision has already been made and I don't have any input into it. Any info on the ports I'd need open? ----- Original Message ----- From: "ASB" <[EMAIL PROTECTED] > To: < ActiveDir@mail.activedir.org> Sent: Wednesday, September 07, 2005 8:45 AM Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... Why did you decide to put it in the DMZ? -ASB On 9/7/05, Jason B < [EMAIL PROTECTED]> wrote: > We are putting a MS sharepoint server in the DMZ and need to have it on > the > domain and communicating with a SQL server on the domain.  Because of > these > needs, we only want to open the minimum number of ports to get > functionality.  We have LDAP (389) opened and SQL (1433) opened.  What > other > ports will we need to open to be able to log in on the sharepoint server > with a domain account?  Currently, with only these two ports opened, a > domain account can't log on to the sharepoint server in the DMZ. List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/   This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited   This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited   This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited