If that doesn't work, you may want to consider IPSec tunnels if the firewall can support. Simplifies the config and secures the transport. The overhead is on the server but you can buy NIC's that offload the processing.
If you use the tunnel, it's two ports and a protocol to setup and works better with Windows 2003 servers. Al -----Original Message----- From: Andy Schan [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 31, 2004 5:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domains Separated by Firewall Thanks, I'll be looking at it from that side as well. I was originally under the impression that the AD architecture was done, and that I just had to do the engineering, but it appears that's not the case- I'll be convening meetings with them to get the architecture finalized before I go into the lab. The Exchange pieces I'm not too worried about; I was mainly looking for people who had implemented SMTP links in AD in the real world, as that's one option if the single forest is the route we go. They're open to allowing more connections if required, but only if absolutely necessary. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 31 March, 2004 16:30 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Domains Separated by Firewall Andy, a domain separated by a firewall in the same forest is feasible and it sounds like you're on the right track as far as concerns and architecture. Keep in mind that there are new features in the Exchange application as well that make it "different" than the 5.5 setup you currently have. You'll need to be aware of the traffic that's required such as link state, pf and routing group boundary settings, etc. Just as you are now, you'll have to be careful of public folder locations and such. What will be even more important to you is the permissions that Exchange needs and the customization of permissions that you'll have to achieve to get the presumably desired results. The Exchange RUS needs inherited permissions for example in the domain. That may not be something they want if they're used to being autonomous. There's a good document on multi-domain/multi-forest documents that may be of benefit as you go into the domain planning. It's located at http://www.microsoft.com/exchange/library and it may be useful to know this stuff prior to the domain vs. forest planning process. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 31, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domains Separated by Firewall I've been reading these paper, but most of them assume resource sharing &/or cross-domain authentications happening; the scenario I'm looking at (security boundaries/requirements being looked at separately) is simply having replication between the domains (and mail flow, but that's a separate discusion), with no requirements for authentication, FRS (hopefully), etc. What I'm looking at is to use SMTP site links, with the only communication between the sites being AD bridgehead-bridgehead (and E2K3 bridgehead-bridgehead). Whether or not we'll have to go with separate forests will depend on how comfortable they are once they're clear on the security boundaries & the implications. It won't matter if a single forest is acceptable, though, if this sort of setup is not feasible in the real world. Andy > Hi Andy, > > Check out the following: > * Active Directory in Networks Segmented by Firewalls - > http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0 > -4caf- > 9767-a9166368434e&DisplayLang=en > * Restricting Active Directory Replication Traffic to a Specific Port > (MS-KBQ224196) - > http://support.microsoft.com/default.aspx?scid=kb;en-us;224196 > * How to Restrict FRS Replication Traffic to a Specific Static Port > (MS-KBQ319553) - > http://support.microsoft.com/default.aspx?scid=kb;en-us;319553 > * Port Requirements for the Microsoft Windows Server System > (MS-KBQ832017) - > http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 > > The only experience I have with AD an firewalls is that a firewall is > a real pain when performing AD Forest Disaster Recovery procedures (I > have been setting up these procedures with a collegue for one of our > customers and that was presented recently at the DEC). With AD I > sometimes think that a firewall in time turns into swiss cheese. > > You can also use a IP site link and restrict directory replication to > a specific port in the firewall as mentioned in the articles above. > According to your description below that division does not trust you > guys. If they don't trust you, it would be better if you use a > separate forest because a forest in AD is the ultimate security > boundary. Within one forest each domain admin must trust each other! > If not.. -> separate forests! > If each domain has its own service admins to administer the DCs in the > particular domain than those service admins have the possibility to > control each domain in the forest. That's why each admin MUST trust > each other in one forest. Check the security requirements of that > division (and yours of > course) to see if a separate forest is needed for service and/or data > isolation. > > Regards, > Jorge > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, March 31, 2004 20:36 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Domains Separated by Firewall > > Hi: > > We are doing an AD/E2K3 migration, and we have a scenario that I > haven't found covered in the archives: > > Our AD forest presently consists of an empty forest root, with a > single child domain. We have a division, however, with significantly > higher security requirements than the rest of the organization. > Presently, they are running Exchange 55 as a site within our > organization but with a separate NT domain with NO trust between our > domains. They are separated from us by a firewall, with the only > connectivity between us being port 102 (x400), and all communication > must be initiated from their side. No resource sharing other than > email is required, and no cross-domain authentication is needed. > > I'm looking at setting them up as a separate domain in our forest, > with an SMTP site link for directory replication. We will be kicking > the tires in the lab, but does anyone have any real-life experiences > (traumas, acquired phobias, > etc.) with similar scenarios? > > Thanks, > > Andy > Schan > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > This e-mail and any attachment is for authorised use by the intended > recipient (s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
