I've not changed anything in my PIX configuration. I have been watching the
logs while attempted logins have been made. I've not gotten a single denial
logged yet. (I have fairly verbose logging)
I downloaded WS_Ping ProPack, and it can gather limited information, but
since it's on a DMZ, most ports are blocked. The methodology involved is
that all can get to the DMZ, and only initiated connections can be used,
unless I've created a conduit through the PIX. Which I've done for my PDC,
TCP/UDP on ports 137-139.
I *thought* this was all that was needed. Thanks for the advice, I'll
continue plugging away.
> -----Original Message-----
> From: Seth M. Kusiak [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 27, 2001 10:52 AM
> To: NT System Admin Issues
> Subject: Re: Authenticating from a subnet without a BDC.
>
>
> >I've allowed traffic from the web servers to the domain
> controllers for
> authentication purposes.
>
> VERY dangerous. I suggest that you move authentication to a
> database if
> possible. If you can't, then you may want to add a new domain
> in the DMZ
> that will not have a trust to the domain in the inside network.
>
> If you can't get hardare for a new domain, then I suggest
> that you look at
> your PIX config. Make sure your conduits are setup correctly.
> Get a copy of
> WS_Ping ProPack from www.ipswitch.com (or a similer tool) to
> see if your
> webservers can connect to the ports on the DC's. See if you
> can even ping
> the DC's.
>
> hth,
>
> ~Seth
>
> Jason Gauthier writes:
>
> > A recent change in my network has caused some interesting
> issues, and I
> > wanted to get some advice.
> >
> > We've recently added a 3rd interface to our PIX 520
> firewall. We stuck our
> > web servers on it. (We only have one domain, and kept these
> part of it)
> >
> > I've allowed traffic from the web servers to the domain
> controllers for
> > authentication purposes. (There is no BDC on the subnet
> with the web
> > servers. The other subnets do have BDC's)
> >
> > Last week things "appeared" to be working correctly. I
> could log into the
> > servers (not using a cached profile) and from my "inside"
> subnet I could
> > browse the machines. (The PIX does some funky things with IP address
> > aliasing on a DMZ like this.)
> >
> > Now, I come in monday morning, the machines are no longer getting
> > authentication information from the domain controllers.
> (This could have
> > occurred last week too, I suppose). A user changed their
> password, and no
> > cannot log onto the web server. I understand the web
> server broadcasts for
> > a domain controller to pick it up, but I also realize that
> they know the IP
> > addresses (somewhere) of the other domain controllers. I
> know this because
> > of the firewalling logging when it was closed off. The
> machine attempted
> > connections to every one of my domain controllers. So, it
> doesn't seem to
> > be authenticating to the domain anymore...
> >
> > I entered an entry in the lmhosts file pointing out the
> domain and PDC, but
> > alas, no go.
> >
> > Anything that can be offered, I'd appreciate. One other
> small tidbit. The
> > web servers are 2000 systems, everything else is NT4.
> >
> > Thanks,
> >
> > Jason
> >
> > http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
> >
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm