I think the special networking is already a done deal, and is more typical in our environment for what our network admin would set up, so sounds like we can skip VPN on this. I am reading a bit on ADFS from your and Bob's prompting, but not sure it fits and/or falls within the guidelines of the product-I replied in another post.
Thanks! Bonnie From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Ryan Shugart Sent: Friday, June 06, 2014 8:31 AM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] RE: New RODC question Hi Bonnie: You got it, although I'm not sure if we're using the hardware Netscalers or the virtual Netscaler appliances for this, we have both. The point behind the VPN tunnel I believe was to avoid any special DMZs or any special networking. I'm not a networking guy either so I might bork this, but by forcing them through an encrypted VPN tunnel that we control, we can make sure the only thing they can see is the load balancer virtual IP, and that isn't exposed at all to the internet, so we really haven't poked anything through our firewall since VPN is something we normally allow anyway. I know others have made similar points, but have you looked into something like Active Directory Federation Services? I've never set it up but my understanding is this is the situation that was designed to handle. Ryan From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Miller Bonnie L. Sent: Friday, June 6, 2014 7:01 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: New RODC question So if I understand, you're using hardware LBs so you can have multiple DCs on the back end-that is actually something I'd like to consider for possible future connections like this. We may not have budget for hardware LBs right now, but I can bring it up as an option. I'm not sure I understand the VPN tunnel part-again, I'm not the network administrator here, so sorry if this is a dumb question. Is the concern that allowing their IPs to connect directly ONLY using secure LDAP (tcp 636, using a cert) is not really secure enough for directly over the Internet? The vendors will not have any other access (VPN for logon or otherwise) to the box. Thanks, Bonnie From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Ryan Shugart Sent: Thursday, June 05, 2014 3:06 PM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: New RODC question My recommendation is don't let them talk to one of your DCs, if they want secure LDAP fine, proxy it. We set up a Netscaler appliance to load balance LDAP between two domain controlers. We then set up a special VPN tunnel that the cloud service talks to us on and all they can see is the virtual LDAP we have configured on the Netscaler, the VPN blocks them from talking to anything but that. We've done this for several providers, and its worked just fine, and no need to set up an RODC. Ryan From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Miller Bonnie L. Sent: Thursday, June 5, 2014 2:36 PM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] New RODC question We have a need to allow a cloud-based service to do lookups against our internal AD. Their site will use same sign-on by looking up usernames and passwords over secure ldap. This is the first real authentication configuration I'm doing against external services, so just getting my feet wet with this one. The vendor says their product will work with an RODC, and we're already extended on the schema to use one. So, I've proposed adding an RODC in a "perimeter" subnet, rather than having them connect all the way through to our main internal server subnet and talk to writeable DCs. The RODC would be in a new AD site, with no subnets assigned, so internal clients shouldn't ever attempt to authenticate to it. There are minimal network based firewall rules to allow certain systems access (such as the writeable DCs), and then I'm going to work on two-way windows firewall rules to lock it down more, and then (carefully after testing) make sure those are enforced by GPO with no override options. A) Is this overkill? I'm trying to think of it from a security standpoint, but that isn't always my best angle, and don't want to do something if there is no real benefit. Even though the box is here in our physically secured datacenter (as opposed to a branch office), it is going to be somewhat more exposed to external connections, which none of our existing DCs are. Firstly, it makes sense to me that we shouldn't poke a hole right through to our central server network. Using an RODC seems like it would protect us more from account changes if the box were compromised. And, firewall rules that can't be modified could at least mitigate some threat of what else they can get to if the box were to be compromised. B) Since I haven't really set up an RODC before, as I read through, I'm seeing information about configuring the password caching that I'm not sure if we need. The idea is that their server(s) will talk to this server to verify username and password information, allowing our users to log onto their website. If I'm reading correctly, if an RODC doesn't have the password cached (which it has none by default), it will go talk to a writeable DC to get that information. In the case of a branch office, it might make sense to allow certain users to cache locally in case the WAN link is down, but I'm not dealing with that here. So, am I correct in thinking that I don't need to configure it to cache anything additional for passwords (no PRP settings/changes required), as the RODC will look those up each time from a writeable DC, and pass it along? I'm not worried about a traffic hit, and if all of our writeable DCs are down the RODC is likely offline too and the datacenter is dark. Or, do I need to plan on configuring it to cache the passwords of just those users who need to authenticate on the external website? C) Suggestions? Anything else to consider? I'm not sure what others do for security with these kinds of service connections. Thanks! Bonnie MiTek Holdings, Inc., 2011-2014, All Rights Reserved ________________________________ This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying, or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it.