One other variation to consider, would be to replicate data from internal to external. Depending on how much interaction you intend to have, you may also want a two way model for data, but.. Last thought: you may want to give Microsoft a call about that. They have the same software available and similar business needs. You might ask how they solved a similar problem ;) Al
________________________________ From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Wed 9/7/2005 1:22 PM To: [email protected] Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... Agreed. In any case, you'll want to add to that list of ports 3268 for Global Catalog, your DCOM range, and if you have a CA deployed, 636 and 3269 for SSL LDAP and GC. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason B Sent: Wednesday, September 07, 2005 12:58 PM To: [email protected] Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... I appreciate the replies... IPSec might be the way to go. The problem with self-containing all the services is that the SQL server that sharepoint needs to use is a DB that is also used internally - we need to share this DB and some of the files with clients. I think a better approach might be to use a combination of the two... putting the sharepoint server in a new AD forest and just opening one port - 1433 - from the sharepoint server in the DMZ to the SQL server in the LAN... ----- Original Message ----- From: "Al Mulnick" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Wednesday, September 07, 2005 9:28 AM Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... <Disclaimer> what you're doing is a horribly bad idea from a security perspective </Disclaimer> You might have better luck setting up an IPSec tunnel from the DMZ host to the internal domain controllers, DNS servers (if different) and the SQL machine. You'd be even better off if you made it self-contained. That is, installed sharepoint, sql, AD on the same machine as a separate forest. This came from a MOM agent in a DMZ scenario kb article and is essentially the same for most of it. http://support.microsoft.com/default.aspx?scid=kb;en-us;904866 Basically, you'll need the same ports because you want this to be a member of the domain. From there, you'll have to trace the calls from startup to completion to ensure you have all of the allow rules you need for your specific implementation. UDP port 53 to support Domain Name System (DNS) queries and dynamic registrations UDP port 88 to support Kerberos UDP port 123 to support Network Time Protocol (NTP) TCP port 135 to support remote procedure calls (RPC) UDP port 389 and TCP port 389 to support Lightweight Directory Access Protocol (LDAP) TCP port 445 to support server message block (SMB) ________________________________ From: [EMAIL PROTECTED] on behalf of Jason B Sent: Wed 9/7/2005 12:05 PM To: [email protected] Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... Because this will be a sharepoint server for clients. Regardless, that decision has already been made and I don't have any input into it. Any info on the ports I'd need open? ----- Original Message ----- From: "ASB" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Wednesday, September 07, 2005 8:45 AM Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... Why did you decide to put it in the DMZ? -ASB On 9/7/05, Jason B <[EMAIL PROTECTED]> wrote: > We are putting a MS sharepoint server in the DMZ and need to have it on > the > domain and communicating with a SQL server on the domain. Because of > these > needs, we only want to open the minimum number of ports to get > functionality. We have LDAP (389) opened and SQL (1433) opened. What > other > ports will we need to open to be able to log in on the sharepoint server > with a domain account? Currently, with only these two ports opened, a > domain account can't log on to the sharepoint server in the DMZ. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
