netcomm wrote:
>
> Hi
>
> I was just wondering what are the implications of having a oneway trust
> relationship between DMZ domain and another domain inside the internal
> network behind a firewall. ( domain--> NT domains)
Uhm, you mean that you want to have the DMZ domain trust the internal
domain? (Your message wasn't clear on which way it was, I'll assume
you mean this way).
In theory, you shouldn't have a problem. However, in practice
(someone correct me if I'm wrong here), you'll need to open
up NetBIOS/SMB/DCE/Whatever-its-named-anyway RPC between your
DMZ servers and your internal network PDC. This means you get
to allow:
DMZ:any to int:PDC, TCP and UDP 135-139
DMZ:any to int:PDC, TCP 1024-65535
To me, this looks like swiss cheese, and I wouldn't do it if
I were you. On the other hand, I could be completely mistaken
here; this is only my understanding of how the trust model
works. I'd _really_ appreciate it if someone more knowledgeable
about the NT Domain protocol would step in and enlighten us
all.
(I guess I could just go setup a trust relationship and sniff
to see what actually happens, but I'm officially on vacation
right now; call me lazy :P )
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
