João Kuchnier wrote: >I am planning a small lan infra-structure to an office I work for. > >My structure needs a Firewall, Proxy and Active Directory. I will use >one deskserver for shorewall and squid and a server for AD and >fileserver. > >I want to install the AD server on DMZ. I made some research and lot >of people said that they don't recommend that configuration. > >In this case, I will open DMZ only for LAN connections. The WAN >interface will only have open ports for LAN adapter. > >It is dangerous, in this case, to have an Active Directory installed on DMZ?
It's not dangerous, but it is tricky to set up. I did something not too dissimilar a while ago - multi-zone firewall for a multi-tenant business centre. The biggest problem is that by default, desktop-server communications for some stuff doesn't use defined ports - IIRC the server picks a random port and tells the client what it is. There is a registry setting to disable this and make it used fixed ports - and then you can configure the firewall accordingly. I don't recall any more detail that that, I wasn't involved in the Windows side of it, and I don't have access to the systems now. I *think* the clients initially find the server by DNS. I used ISC DHCP server and Bind for the root of the clients domain - and delegated all the "_<stuff>" subdomains to the Windows server. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
