Good points, although for giving external users access to internal resources I think Terminal Services is a bad idea if you are concerned enough about security to be looking into a separate forest for your Extranet. Citrix has much more flexibilty for giving access to internal resources in a setup like this by using published applications and not a published desktop. This allows you to lock the user down much better and limit them to only being able to run the application and never getting to see a desktop. Still not as secure as not having them login to your internal forest, but better than TS that gives a user a full desktop.
Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Monday, October 25, 2004 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Extranet's Here are some sources to reference in your design process. http://www.microsoft.com/technet/security/topics/identity/idmanage/P1Pla t_4.mspx Couple of points to Raise, 1. To support this infrastructure you will require DNS and Additional Hardware. Make sure you provision accordingly. 2. You need to decide if there needs to be TRUST involved. Make sure you plan for IPSEC to make the trust more secure. 3. You should monitor the extra-net for availability, and also audit it heavily and use restrictive security policies to enforce compliance. 4. If your goal is to give external users access to internal application, you might investigate Terminal Services and user accounts with more restrictive settings. 5. If you only need a LDAP for authentication, look into using ADAM and third party SSO's. Less infrastructure requirements. 6. Remember to patch, patch, patch. Good Luck.... Todd ________________________________ From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, October 25, 2004 12:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Extranet's yep, done it several times this way - at least for the users. Depending on how your machines need to talk to the internal servers, you might not even need to setup a trust. But if you don't get around it, you could still limit it's reach using selective authentication. /Guido ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 25, 2004 2:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Extranet's We are looking at redesigning our extranet and are considering a separate forest for the extranet users and eventually most of the resources needed for the extranet will be put into that forest. My thinking is that since a domain isn't a true security boundary and it really won't cost us more to bring up a forest vs. domain why not go with a separate forest. The users in the extranet forest won't necessarily need access to the internal systems but some of the machines will need to talk to internal servers so I assume at some point we will need a trust relationship. My question is simply what am I missing and has anyone done similar setups? Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland & Knight LLP NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"), and is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else. If you are not an existing client of H&K, do not construe anything in this e-mail to make you a client unless it contains a specific statement to that effect and do not disclose anything to H&K in reply that you expect it to hold in confidence. If you properly received this e-mail as a client, co-counsel or retained expert of H&K, you should maintain its contents in confidence in order to preserve the attorney-client or work product privilege that may be available to protect confidentiality. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
