ISA perimeter and internal network Active Directory.

Discussion in 'Networks' started by coolc, Dec 23, 2010.

  1. coolc

    coolc Nibble Poster

    84
    0
    4
    I have a ISA 2006 Server as the network firewall. I have Active directory domain controller in the internal network and there are a couple of web servers (IIS6) in the perimeter network and I want the perimeter web servers to authenticate to the AD which is located in the internal network. Any advice/help? both of the internal network adn the perimeter network is separated by ISA 2006. I have opened all of the ports etc but no luck.

    Much appreciated if someone can help me.
     
  2. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Authenticate in what way? Log onto the domain or is it for a web app?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  3. coolc

    coolc Nibble Poster

    84
    0
    4
    Domain.
     
  4. Theprof

    Theprof Petabyte Poster

    4,607
    83
    211
    Can you ping the domain controllers from your DMZ using IP address?

    I usually setup my DMZ PC on a different subnet for security purposes... Also it's a bad idea giving your DMZ PC access to your AD...
     
    Last edited: Dec 24, 2010
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  5. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Would have to agree.

    Is there a reason why the web servers need acess to your internal domain?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  6. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    Another agreement here. If there is a requirement for a website to interact with the domain (or any internal resource, really), it should also be internal. If someone wants access externally, then you should be providing a solution to give them secure internal access (VPN, Juniper, etc).
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  7. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,749
    200
    246
    With ISA you could keep the whole web server internal, and use a web publishing rule to forward port 443 (I would avoid 80 in this config)

    If you really want to just play around with DMZ stuff, check the RPC filter is not enabled and blocking RPC type traffic, it uses a random port from like 1025 - 65000

    Also you could use a RODC in the DMZ, or AD LDS (Lightweight directory services) for the application to have access to the subsets of info it needs for authentication
    it could also just be an IIS misconfiguration to be fair
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  8. Modey

    Modey Terabyte Poster

    2,397
    99
    154
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada
  9. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    That article is talking about making your Firewall part of the domain, not something sitting on your DMZ (Such as a webserver) a member of the domain through the firewall.

    I dont know a whole hell of a lot about networking, but it makes sense to me for the FW to be part of the domain, its like the doorkeeper, peeping through the shutting from the inside looking out to determine who can come in. It makes sense for him to be part of the "gang".

    Conversely, making the Webserver a part of the domain, is like letting that weedy kid standing on the street have an the keys so that he can just waltz in whenever he feels like it. He's not in a protected position, and so is open to getting pounded until he hands over the keys.

    Simple, but its how I look at it.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  10. Modey

    Modey Terabyte Poster

    2,397
    99
    154
    In this case I was quoting DMZ PC and assuming he meant ISA server. Bit of an ambiguous term really. But having a webserver that is a domain member in a perimiter network is not automatically a bad idea, just depends on the setup and the type of perimiter. DMZ is too broad a term really. We have a frontend exhange server at work that is part of a secure external perimiter and it's also a domain member.

    If it's a straight webserver and depending on the DMZ and it's structure, I wouldn't have it in there in the first place though, like Phoenix suggested.

    There isn't a one answer fits all answer though.
     
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.