I thought his original request was to make sure that no other client talks to the isolated server except those permitted.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Matt Hargraves
Sent: Wed 9/13/2006 7:26 AM
To: [email protected]
Subject: Re: [ActiveDir] Isolating a DC
Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment.
BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also.
Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than "OMG, a (gasp) *user* authenticated against my application DC".
BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also.
Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than "OMG, a (gasp) *user* authenticated against my application DC".
On 9/13/06, Lucas, Bryan <[EMAIL PROTECTED]> wrote:
Thanks to all for the responses.
This (isolating via ipsec) is probably the right direction for me.
We're a single site, single domain at a single physical location, but
the idea of building another site isn't appealing from a "keep it
simple" perspective.
Are there any technical reasons why a separate site would be better than
isolation through IPSec? Will I cause clients/apps, who initially don't
know they are denied, delays when they try to access the ipsec isolated
DC?
Bryan Lucas
Server Administrator
Texas Christian University
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-Lee
Sent: Wednesday, September 13, 2006 5:39 AM
To: [email protected]
Subject: Re: [ActiveDir] Isolating a DC
Akomolafe, Deji wrote:
> I highly recommend that you read
http://www.windowsitpro.com/articles/print.cfm?articleid=37935
>
> Then, as a fall-back option, look for the isolation using IPSec
> whitepapers on Microsoft site. I can't find them now, but I know that
> they exist. They show you how to restrict communication with a
specific
> server or network using IPSec.
>
I think what you're referring to is the excellent "Server and Domain
Isolation using IPSec" content, at:
http://www.microsoft.com/technet/security/topics/architectureanddesign/i
psec/default.mspx
If all you're looking for is host-based firewalling, however,
there's other content online that'll explain this a little more
concisely, such as this presentation from the Virginia Tech Windows
Users Group:
http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ips
ec%20as%20a%20firewall%22
And also "Using IPSec to Lock Down a Server" from technet..
http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.ms
px
Hope that helps!
- James.
--
James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org/
Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)
sites: https://www.bsrf.org.uk/ ~ http://www.security-forums.com/
ca: https://www.cacert.org/index.php?id=3
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
