As with anything in security - there are no hard and fast rules - everything is just risk mitigation.
Lots of people put member servers in the DMZ. Lots of people have two (or more DMZs). An internal DMZ could be for devices (like proxy servers, DNS servers) that cater only for outbound communications. External DMZ handles incoming requests. Other people create a separate Forest for their DMZ - and their servers are members of that Forest. Etc. Frankly, it sounds like you don't know what you're talking about. Cheers Ken -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Friday, 7 January 2011 11:56 AM To: NT System Admin Issues Subject: Re: AD and firewall ports Get a new admin. Putting an AD member server in a DMZ is stupid. You will have broken the security model for your production environment by doing this. Kurt On Wed, Jan 5, 2011 at 16:53, joseph palmieri <[email protected]> wrote: > > Need assistance with firewall ports and active directory our server admin > submitted a change request to open over 1000 port to support AD. The change > was denied and resubmitted requesting a minimum of 100 ports to support RPC > communications to a member server within our DMZ. Our firewall engineers > stated while monitoring the firewall only 20 ports were communicated over and > 100 ports are not needed. > > > > Has anyone had experience with this issue and can provide some clarity…are > the server admin looking for an easy way out by requesting all these ports? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
