It might be an idea to give us a bit of a heads-up (relating to Roger's question) as to why - and more importantly, how your DMZ is set up. Do you just have the one DMZ, or do you have a Bastion host with a Public DMZ, then your internal network, or do you have a multi-layered DMZ (Public, Private, Internal). Or, is it a combination of any of the above with Private VLANs?
The reason that I ask is that there are a myriad ways of doing what you're asking. I'm not going to get into the risk of any of the systems (though I do question IF they need to be there), but can provide guidance on who should be talking to whom - and when the wrong communication or directness of communication is occurring. Also, it would dictate (dependent on layering of your DMZ and perimeter networks) the placement of systems, as good and secure practice says that in a multi-layers DMZ a system or device cannot skip a layer to talk to a less secure device. IOW, a system from the Public DMZ cannot directly talk to a system in the Internal network. There must be an intervening device in the Private DMZ. This creates (along with some degree of complexity) an environment whereby an attacker must compromise multiple systems to succeed. For reference, we employ a three-tired DMZ with our external routers, PIX, and a firewall appliance creating a Public DMZ a Private DMZ and our internal network. We also use Private VLANs to control which servers or devices on the DMZs can talk to other systems on their respective subnets. Just because system A has an IP of 10.10.1.25/24 and system B has an IP of 10.10.1.26/24 does not mean that they can talk to each other. If they are not in the same VLAN, or a required rule is in place to allow a specific communication, they will not be able to talk. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Roger Seielstad > Sent: Friday, January 24, 2003 7:47 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Using Active Directory between a firewall > > > Can I ask why you're choosing to put your servers into the > DMZ? Other than ISA (maybe - and I'm not convinced even that > one), none of the other servers needs to be publicly exposed. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] > > Sent: Friday, January 24, 2003 6:23 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Using Active Directory between a firewall > > > > > > Yes I can see the AD Server from within the DMZ and pinging the > > server gives me no problem at all > > > > -----Original Message----- > > From: Jochen Andries [mailto:[EMAIL PROTECTED]] > > Sent: Friday, January 24, 2003 10:45 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Using Active Directory between a firewall > > > > Do you see the AD-server from the server in the DMZ-zone ? > > (Ping-request, ...) > > > > -----Original Message----- > > From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] > > Sent: vrijdag 24 januari 2003 10:33 > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Using Active Directory between a firewall > > > > Hi guys, > > > > I have a little problem over here. I have an implementation of > > active directory where the servers sit on a subnet and all the > > client workstations sit in another subnet. > > > > For security reasons I want to move the servers into DMZ zone. I > > found out that when I move the servers into the DMZ zone they are > > not able to communicate with active directory. This is because the > > domain controller is within the proper network, but the servers that > > needs to be moved into the DMZ are servers like the exchange and ISA > > servers and these servers need to communicate with active directory > > to function properly. > > > > What ports do I need to open on the firewall in other for the > > machines in the DMZ to talk to active directory effectively. > > > > Thanks > > > > VIRUS SCANNED! > > Marina One > > > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
