That should suffice for a good while for hardware.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason B
Sent: Thursday, September 08, 2005
7:35 PM
To: [email protected]
Subject: Re: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
The SP server is a dual proc Xeon 3GHz w/4GB RAM. That
should be able to handle FAR more load than we - er, they - plan to
have on it.
For SQL, we'll have to create a trust for now. While
it would be better to have another SQL server in the new domain and just
replicate/silo the DB's between the SQL servers, the cost for another SQL
license will be too much to bear at this point. I fear that I am going to
have to make do with what we have in regards to hardware and software for now,
but I am hoping to be able to squeak out that ISA server.
----- Original Message -----
Sent: Thursday, September 08, 2005 4:04 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to
communicate with AD & SQL...
> What kind of load are you looking at putting on this
sharepoint server? A
> Single server setup as you mentioned is not a very high powered setup...
>
> What are you doing about the SQL? Sharepoint uses integrated auth for
> connecting between servers.
>
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
>
> c - 312.731.3132
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
>
[mailto:[EMAIL PROTECTED] On Behalf Of Jason B
> Sent: Thursday, September 08, 2005 6:56 PM
> To: [email protected]
>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
> AD & SQL...
>
> Al, Brian and others - thanks!
>
> I wasn't involved in the original plan for setting this extranet up, but
> overheard talk about it and didn't like the plans everyone else was making
> for my AD infrastructure. So I jumped into the fray after all the
decisions
>
> had been made and hardware/software purchased, but better late than never.
> Originally, they wanted it set up with the SP server in the DMZ and ports
> opened to the LAN to "make it work" talking to SQL and AD.
The plan had
> them putting extranet users and clients in our internal AD domain and
giving
>
> non-technical employees the ability to add/remove clients from an
OU. Bad
> mojo.
>
> I was able to convince them to allow me to set up the SP server as a DC in
a
>
> new forest so as to avoid putting the extranet users in our AD
domain. That
>
> was the "easy" part. Another SQL license is definitely not
in the budget,
> so that was an easy decision. Now, I am going to try to convince
them to
> move the SP server into the LAN side, close the ports from the DMZ to LAN
> and throw ISA server in the DMZ to serve up the extranet clients. I
think I
>
> can get them to go for it with some doom and gloom scenarios.
>
> Again, thanks for the suggestions and advice.
>
> --Jason
>
> ----- Original Message -----
> From: "Brian Desmond" <[EMAIL PROTECTED]>
> To: <[email protected]>
> Sent: Thursday, September 08, 2005 3:14 PM
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
with
> AD & SQL...
>
>
>>I am, perhaps unfortunately, quite familiar with Sharepoint.
>>
>> Your sharepoint server like any other member server can be a member of
one
>> domain. If your extranet users are in a domain trusted by the server's
>> domain or another domain in the forest, you can just service them with
>> multiple portals. You can have up to I think its 50 portals per
frontend.
>> Of
>> course, I don't really recommend having your extranet accounts in your
>> corp
>> forest...
>>
>> I used to have my sharepoint environment sitting in a "DMZ"
subnet. It was
>> hell dealing with the spaghetti mess of ports on the checkpoints. Now
we
>> have this special subnet that the WAN people call the AD Load Balanced
>> subnet. It's a class C that sits on the Cisco CSM and SSM modules in a
>> couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and
they
>> have all the ports for domain joined machines open from that subnet to
the
>> DCs. It's actually pretty easy. The Windows folks gave the WAN folks a
>> comprehensive list of ports that need to be open for AD, a/v, mgmt,
etc,
>> and
>> they made PIX and Checkpoint rules for that subnet. Now when we need
to
>> load
>> balance anything domain joined, the servers just go in this subnet,
they
>> setup the CSMs, and then the firewall people just have to add
additional
>> special rules (like connecting to SQL, for example).
>>
>>
>> Thanks,
>> Brian Desmond
>> [EMAIL PROTECTED]
>>
>> c - 312.731.3132
>>
>>
>>
>> -----Original Message-----
>> From: [EMAIL PROTECTED]
>>
[mailto:[EMAIL PROTECTED] On Behalf Of Jason B
>> Sent: Thursday, September 08, 2005 4:37 PM
>> To: [email protected]
>>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>> This has been a GREAT discussion and I have received a lot of useful
info.
>> I really appreciate the replies, suggestions, slams and help. I
think I
>> am
>> going to revisit trying to have the sharepoint server moved to the LAN
and
>> see if I can't convince the powers that be to apportion an ISA license
and
>> hardware appropriate for running ISA to put on the DMZ. We
already have a
>> sharepoint server on the LAN... I am not too familiar with
sharepoint,
>> but
>> I wonder if the existing sharepoint server can handle both the
internal
>> and
>> external users... That's a question for another group, I guess.
>>
>> Anyway, I gathered quite a bit from the posts and discussion, but what
are
>> the main specific and concrete points that I am going to want to bring
up
>> to
>>
>> dissuade them from having the sharepoint server on the DMZ? My
expertiese
>> isn't in the hardware/networking aspect of configuration, but I know
>> enough
>> that I am not comfortable opening all the ports for AD auth from the
DMZ
>> to
>> the LAN. Our network admin didn't think that it was a big deal
to open
>> the
>> ports since it was "only on the DMZ" and he could control
the traffic that
>> was allowed to the DMZ.
>>
>>
>> ----- Original Message -----
>> From: "Al Mulnick" <[EMAIL PROTECTED]>
>> To: <[email protected]>
>> Sent: Wednesday, September 07, 2005 5:04 PM
>> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>>
>> Looks like we have plenty of ideas and opinions ;)
>>
>> ISA is a great way to deal with this, but I believe the decision was
made
>> to
>>
>> put the SP machine in the DMZ regardless of the technical merit or
>> viability. And whether or not it is a good idea. That said, ISA
doesn't
>> offer much if you put it AND this machine in a semi-trusted network
(for
>> whatever that means these days.)
>>
>> Shame there's no leeway though. The downside to using IPSec is
that as
>> others have pointed out, it won't work on member server <->DC
for W2K
>> servers (limitation of the OS) but will for 2K3 member servers but
that
>> still leaves you with a secure channel from the DMZ host to your
internal
>> network. That means you can't monitor the traffic from the DMZ to
your
>> internal network because it's encrypted (sounds like a broken record,
I
>> know.)
>>
>> Too bad you can't sway the decision makers to do this differently. But
>> hopefully you've received a lot of ideas to pick from.
>>
>> Best of luck,
>> Al
>>
>>
>>
>> ________________________________
>>
>> From: [EMAIL PROTECTED] on behalf
of Bernard, Aric
>> Sent: Wed 9/7/2005 7:40 PM
>> To: [email protected]
>>
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>>
>>
>> I agree with Phil - I think using an ISA (or other reverse proxy solution)
>> is the best way to go given your constraints.
>>
>>
>>
>> Using a reverse proxy solution allows you the following:
>>
>> 1. Keep you Sharepoint server behind the firewall, yet make it
accessible
>> to
>>
>> external clients as if it was in the DMZ.
>> 2. Restrict your [additional] holes through the firewall to only that
>> needed
>>
>> by the reverse proxy solution to interact with the Sharepoint server
(port
>> 80).
>>
>>
>>
>> BTW - this scenario is becoming extremely common. The next common
>> addition
>> you will see to this will likely be the use of ADFS to provide an
identity
>> trust bridge between the internal forest and a partner forest (or
other
>> identity system).
>>
>>
>>
>> Regards,
>>
>>
>>
>> Aric Bernard
>>
>>
>>
>> ________________________________
>>
>> From: [EMAIL PROTECTED]
>>
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
>> Sent: Wednesday, September 07, 2005 9:20 AM
>> To: [email protected]
>>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>>
>>
>> I would look at putting the Sharepoint server on the internal network
and
>> deploy an ISA server in the DMZ and use Web Publishing or Server
>> Publishing
>> to get your external clients access to the site. If you want to open
>> access
>> from the DMZ to your AD Forest your
firewall will be swiss cheese from all
>> the ports than need to be open.
>>
>>
>>
>> If you absolutely HAVE to then I would prefer to look at using IPSec
for
>> communication between the Sharepoint box and your DC's. That leaves
you
>> only
>>
>> needing the IPSec port open and not the very large number of ports to
>> support AD communication.
>>
>>
>>
>> http://support.microsoft.com/kb/q179442/
>>
>>
>> Phil
>>
>>
>> On 9/7/05, Jason B <[EMAIL PROTECTED]> wrote:
>>
>> Because this will be a sharepoint server for clients.
Regardless, that
>> decision has already been made and I don't have any input into it.
>> Any info on the ports I'd need open?
>>
>> ----- Original Message -----
>> From: "ASB" <[EMAIL PROTECTED]>
>> To: < [email protected] <mailto:[email protected]> >
>> Sent: Wednesday, September 07, 2005 8:45 AM
>> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>>
>> Why did you decide to put it in the DMZ?
>>
>> -ASB
>>
>> On 9/7/05, Jason B <[EMAIL PROTECTED]> wrote:
>>> We are putting a MS sharepoint server in the DMZ and need to have
it on
>>> the
>>> domain and communicating with a SQL server on the domain.
Because of
>>> these
>>> needs, we only want to open the minimum number of ports to get
>>> functionality. We have LDAP (389) opened and SQL (1433)
opened. What
>>> other
>>> ports will we need to open to be able to log in on the sharepoint
server
>>> with a domain account? Currently, with only these two ports
opened, a
>>> domain account can't log on to the sharepoint server in the DMZ.
>> List info : http://www.activedir.org/List.aspx
>>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
List info : http://www.activedir.org/List.aspx
>>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>
>> List info : http://www.activedir.org/List.aspx
>>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>> List info : http://www.activedir.org/List.aspx
>>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
> List info : http://www.activedir.org/List.aspx
>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
