I've done it as well under W2K. I'm not a fan for the same reasons that Aric pointed out about riding the tunnel to the trusted network. To take it a step further, if somebody overran your DMZ sharepoint host, you may as well hand them the keys and the checkbook as well. They now own and have the ability to elevate their privileges un-interrupted because you've given a trusted and encrypted route into your trusted network. You have no way to know that anything has happened until long after it has. It was not supported in W2K but that restriction was changed for W2K3. The main restriction was the workstation startup communication couldn't be encrypted and still function. Since security is all about risk vs. reward, I think it's fair to say the risk is higher in this scenario vs. others and for that reason I would put an IPSec tunnel low on my list. It's an option that should be considered, but one that shouldn't really see the light of day in most situations. ISA is a good option as is other layer-7 firewall devices that can publish this according to your security policies. My opinion anyway. Aric, I'm glad you didn't mean to put isa and sp on the same semi-trusted network. I was pretty sure you didn't but I think the conversation has a lot of value :) -ajm
________________________________ From: [EMAIL PROTECTED] on behalf of Bernard, Aric Sent: Thu 9/8/2005 1:26 AM To: [email protected] Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... Yes, in fact I have implemented this (under Windows 2000). ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, September 07, 2005 7:44 PM To: [email protected] Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... Using certificates to allow IPSec between clients/member servers and DCs sounds good. Has anyone actually done this? I'd be interested, as I'm surprised the KB article didn't mention this as an alternative. I've also heard (more than once) some statements from MS people to the effect that "IPSec between member servers and DCs is not supported". Tony ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Thursday, 8 September 2005 2:30 p.m. To: [email protected] Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... That was the way that I understood that paragraph as well. And to give a little more information about Aric's point on not being able to monitor the traffic between the DMZ host and the DC's; that is why it is important to have an Intrusion Detection/Intrusion Prevention system in place. Even in a small shop this can save you a lot of headaches if properly maintained and will let you monitor for malicious traffic on the DMZ host and the DC's. It is a good way to mitigate many security admins concerns about opening encrypted tunnels through the firewalls. Phil On 9/7/05, Bernard, Aric <[EMAIL PROTECTED]> wrote: The quote relates to when you are using Kerberos as the method to setup the secure connection (ISAKMP). If you use certificated then IPSec can be used end-to-end between clients/member servers and DCs. Aric ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, September 07, 2005 5:24 PM To: [email protected] Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... Hi Phil Here's the text I was referring to: Currently, we do not support using IPSec to encrypt network traffic from a domain member server to a domain controller when you apply the IPSec policies by using Group Policy or when you use the Kerberos authentication method. The goal with IPSec is to encrypt the traffic between the two sides and with the scenario described below you would need Kerberos authentication. Or have I missed something? Tony ________________________________ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Phil Renouf Sent: Thursday, 8 September 2005 11:02 a.m. To: [email protected] Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... Did I miss something in that article? I don't see where it says client > DC via IPSec is not supported; just that you can't encrypt Kerberos traffic. Phil On 9/7/05, Tony Murray < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: > If you absolutely HAVE to then I would prefer to look at using IPSec for > communication between the Sharepoint box and your DC's IPSec would be good, but it isn't supported between member servers and DCs. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949 Tony ________________________________ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Phil Renouf Sent: Thursday, 8 September 2005 4:20 a.m. To: [email protected] Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... I would look at putting the Sharepoint server on the internal network and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to get your external clients access to the site. If you want to open access from the DMZ to your AD Forest your firewall will be swiss cheese from all the ports than need to be open. If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's. That leaves you only needing the IPSec port open and not the very large number of ports to support AD communication. http://support.microsoft.com/kb/q179442/ Phil On 9/7/05, Jason B < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Because this will be a sharepoint server for clients. Regardless, that decision has already been made and I don't have any input into it. Any info on the ports I'd need open? ----- Original Message ----- From: "ASB" <[EMAIL PROTECTED] > To: < [email protected] <mailto:[email protected]> > Sent: Wednesday, September 07, 2005 8:45 AM Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... Why did you decide to put it in the DMZ? -ASB On 9/7/05, Jason B < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: > We are putting a MS sharepoint server in the DMZ and need to have it on > the > domain and communicating with a SQL server on the domain. Because of > these > needs, we only want to open the minimum number of ports to get > functionality. We have LDAP (389) opened and SQL (1433) opened. What > other > ports will we need to open to be able to log in on the sharepoint server > with a domain account? Currently, with only these two ports opened, a > domain account can't log on to the sharepoint server in the DMZ. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ________________________________ This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited ________________________________ ________________________________ This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited ________________________________ ________________________________ This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited ________________________________
<<winmail.dat>>
