<shudder>
So, if I read this correctly, somebody wants to put
lipstick on a pig? My first question is why? My second question is
also why? Why would you ever want to have authentication handled inside
your firewall for web servers? Why would you want to put in a single point
of failure only relying on the PDCe? Why would you want to fly in the face
of best practices (use separate forests internal and external?)
IPSec is something that would be nice to have if they had a
2000 forest out there, but then again, see above.
Overall, I'd say that this is a bad idea for many reasons
including the single point of failure (what if your PDCe goes down?), the
lowered security possibilities of NT4 etc. Hacking NT 4 is not going to
provide much of a challenge to most script kiddies these days, IMHO.
Opening ports from a DMZ to your internal network doesn't buy anything but
convenience in this situation and since it flies in the face of good practices,
I hate to see it running.
Fix your BAS DMZ domain permissions and upgrade it to 2003
AD for control purposes.
The PPTP that he's asking about is available in Win2K and
above, but for Win2K it doesn't work at start up. That would only be
shared secret vs. kerberos negotiation.
</rant> From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Friday, May 07, 2004 2:43 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DMZ to Internal LAN one-way trust via firewall L & G, I'm sending this on behalf of one of our project engineers. Thanks for any assistance or advice.
1. We
have a 12-server (mostly 2000 web servers) NT 4.0 domain in
Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
|
- RE: [ActiveDir] DMZ to Internal LAN one-way trust via fire... Mulnick, Al
- RE: [ActiveDir] DMZ to Internal LAN one-way trust via... Creamer, Mark
- RE: [ActiveDir] DMZ to Internal LAN one-way trust via... Mulnick, Al
- RE: [ActiveDir] DMZ to Internal LAN one-way trust via... Roger Seielstad
- RE: [ActiveDir] DMZ to Internal LAN one-way trust via... Roger Seielstad
- RE: [ActiveDir] DMZ to Internal LAN one-way trust via... Mulnick, Al
- RE: [ActiveDir] DMZ to Internal LAN one-way trust via... Creamer, Mark