I agree. They want to use SSO so, according to them, I set up a site-to-site vpn, when an user wants to log on with their AD credentials, their server validates the credentials via LDAP through the VPN tunnel. My contention is that it is unnecessary to use a public IP. I have set up 'nattting' for two large healthcare vendors (whose clients also use the same private IP scheme we use) but they gave me a address to nat my internal device to.
From: [email protected] To: [email protected] Subject: RE: LDAP\DC with a public IP Date: Thu, 22 Sep 2011 22:17:50 +0000 I’m rather lost now. How is doing this double NAT going to help you in a typical cloud scenario? Usually you do this type of thing with a direct link to a business partner/supplier. Thanks, Brian Desmond [email protected] w – 312.625.1438 | c – 312.731.3132 From: [email protected] [mailto:[email protected]] Sent: Thursday, September 22, 2011 3:01 PM To: NT System Admin Issues Subject: RE: LDAP\DC with a public IP Cloud. They explain further on that they have a lot of clients, some of whom may use the same private IP so to prevent "overlap" (in their words) they want our private IP natted. I've done this with GE and Philips because they're so large they have over-lapping private IP's, too. However, when they requested it, they gave me another private ip. For example, nat your 192.168.x.x to 192.168.40.1 or something like that. Apparently, this company doesn't do that but just uses the public IP as a reference. From: [email protected] To: [email protected] Date: Thu, 22 Sep 2011 13:22:21 -0500 Subject: RE: LDAP\DC with a public IP Is the “new product” cloud based or internal? If internal I can’t see why you would need your DCs/LDAP servers to be available to the public internet. If cloud based just open up to the IP of the server in the cloud to allow authentication. And insist on LDAP over SSL. al -- Al Lilianstrom CD/LSC/SOS/ES [email protected] From: [email protected] [mailto:[email protected]] Sent: Thursday, September 22, 2011 12:58 PM To: NT System Admin Issues Subject: LDAP\DC with a public IP We are getting a new product to report variances. It is web-based but using LDAP to authenticate users. The way it works is that a person can log a variance anonymously but then directors can use their AD credentials to log in and report their findings. My issue is that they want my two LDAP servers (which are my dc's) to have a public IP address. Even with ACL and security, I am very uncomfortable with having my DC's be "visible" on the 'net. From past experience of scanning my firewall logs, I know that a lot of times, hackers (or script kiddies) just use a range of public IP's to scan for vulnerabilities. Am I being unduly alarmist in my concern? Do other organizations attach a public IP to their LDAP servers? Thanks for any opinions you can give me. I have no problem going back to the people involved and saying ' I was wrong.' OTOH, I also have no problem telling them no way, you need to come up with a work around. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
