This has been a GREAT discussion and I have received a lot of useful info.
I really appreciate the replies, suggestions, slams and help. I think I am
going to revisit trying to have the sharepoint server moved to the LAN and
see if I can't convince the powers that be to apportion an ISA license and
hardware appropriate for running ISA to put on the DMZ. We already have a
sharepoint server on the LAN... I am not too familiar with sharepoint, but
I wonder if the existing sharepoint server can handle both the internal and
external users... That's a question for another group, I guess.
Anyway, I gathered quite a bit from the posts and discussion, but what are
the main specific and concrete points that I am going to want to bring up to
dissuade them from having the sharepoint server on the DMZ? My expertiese
isn't in the hardware/networking aspect of configuration, but I know enough
that I am not comfortable opening all the ports for AD auth from the DMZ to
the LAN. Our network admin didn't think that it was a big deal to open the
ports since it was "only on the DMZ" and he could control the traffic that
was allowed to the DMZ.
----- Original Message -----
From: "Al Mulnick" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, September 07, 2005 5:04 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Looks like we have plenty of ideas and opinions ;)
ISA is a great way to deal with this, but I believe the decision was made to
put the SP machine in the DMZ regardless of the technical merit or
viability. And whether or not it is a good idea. That said, ISA doesn't
offer much if you put it AND this machine in a semi-trusted network (for
whatever that means these days.)
Shame there's no leeway though. The downside to using IPSec is that as
others have pointed out, it won't work on member server <->DC for W2K
servers (limitation of the OS) but will for 2K3 member servers but that
still leaves you with a secure channel from the DMZ host to your internal
network. That means you can't monitor the traffic from the DMZ to your
internal network because it's encrypted (sounds like a broken record, I
know.)
Too bad you can't sway the decision makers to do this differently. But
hopefully you've received a lot of ideas to pick from.
Best of luck,
Al
________________________________
From: [EMAIL PROTECTED] on behalf of Bernard, Aric
Sent: Wed 9/7/2005 7:40 PM
To: [email protected]
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
I agree with Phil - I think using an ISA (or other reverse proxy solution)
is the best way to go given your constraints.
Using a reverse proxy solution allows you the following:
1. Keep you Sharepoint server behind the firewall, yet make it accessible to
external clients as if it was in the DMZ.
2. Restrict your [additional] holes through the firewall to only that needed
by the reverse proxy solution to interact with the Sharepoint server (port
80).
BTW - this scenario is becoming extremely common. The next common addition
you will see to this will likely be the use of ADFS to provide an identity
trust bridge between the internal forest and a partner forest (or other
identity system).
Regards,
Aric Bernard
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, September 07, 2005 9:20 AM
To: [email protected]
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
I would look at putting the Sharepoint server on the internal network and
deploy an ISA server in the DMZ and use Web Publishing or Server Publishing
to get your external clients access to the site. If you want to open access
from the DMZ to your AD Forest your firewall will be swiss cheese from all
the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec for
communication between the Sharepoint box and your DC's. That leaves you only
needing the IPSec port open and not the very large number of ports to
support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B <[EMAIL PROTECTED]> wrote:
Because this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB" <[EMAIL PROTECTED]>
To: < [email protected] <mailto:[email protected]> >
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B <[EMAIL PROTECTED]> wrote:
We are putting a MS sharepoint server in the DMZ and need to have it on
the
domain and communicating with a SQL server on the domain. Because of
these
needs, we only want to open the minimum number of ports to get
functionality. We have LDAP (389) opened and SQL (1433) opened. What
other
ports will we need to open to be able to log in on the sharepoint server
with a domain account? Currently, with only these two ports opened, a
domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
