Active Directory Authentication and DMZ server

Sukhwinder Singh · 16-11-2008

Dear All,

We have a requirement in our organisation that all the application and
internet facing servers in the organisation should be the part of Active
Directory Domain. We have many servers in DMZ zones and the Domain
controllers are there in LAN zone. We need to have all the DMZ servers to be
authenticated to Active Directory but we cannot open and Firewall port. So we
cannot go for IPSEC.

I would request all to help me in this regard as to if ADFS or ADAM can help
me with the same. If any other solution is there please let me know.

Thanks and Regards

Sukhwinder Singh

James Yeomans BSc, MCSE · 16-11-2008

Hi there, if i understand correctly then you have servers in your dmz that
need to contact dc's in the lan but you are not prepared to open up any ports
between the dmz and the lan? Unfotunately if you want them to communicate you
have to open up ports and allow them to communicate. Otherwise you will have
to set up a differnt active directory in your dmz. You could also take
advantage of server 2008's no Lightweight Directory Services function (google
it).
James.
--
James Yeomans, BSc, MCSE
Ask me directly at: http://www.justaskjames.co.uk

"Sukhwinder Singh" wrote:

> Dear All,
>
> We have a requirement in our organisation that all the application and
> internet facing servers in the organisation should be the part of Active
> Directory Domain. We have many servers in DMZ zones and the Domain
> controllers are there in LAN zone. We need to have all the DMZ servers to be
> authenticated to Active Directory but we cannot open and Firewall port. So we
> cannot go for IPSEC.
>
> I would request all to help me in this regard as to if ADFS or ADAM can help
> me with the same. If any other solution is there please let me know.
>
> Thanks and Regards
>
> Sukhwinder Singh
>

Augusto Alvarez · 16-11-2008

Your problem doesnt seem to be related to ADAM (or LDS) nor ADFS. I think
there's more a DMZ and Firewall configuration.

Check this posts about the configuring domain members in a DMZ network with
a back-to-back FW configuration using ISA Server, there you should find a
similar scenario:

http://www.isaserver.org/tutorials/C...DMZ-Part1.html
http://www.isaserver.org/tutorials/C...DMZ-Part2.html
http://www.isaserver.org/tutorials/C...DMZ-Part3.html

On the Part 3 you will find that the key aspect of making the servers
capable to join a domain, is adding a statis route on DMZ so it can
communicate with internal hosts using the back-end FW:

"route add â€“p 10.0.0.0 MASK 255.255.255.0 10.0.1.2"

Where 10.0.0.0 is the network ID for the corporate network behind the ISA
firewall, 255.255.255.0 is the subnet mask for that network ID, and 10.0.1.2
is the IP address on the external interface of the back-end ISA firewall.

Hope it helps

Cheers

--
augusto alvarez | it pro | southworks
MCP - MCTS - MCITP DBA
http://blogs.southworks.net/aalvarez

"Sukhwinder Singh" <SukhwinderSingh@discussions.microsoft.com> wrote in
message news:F2A2EB50-93E4-43B0-BD50-4401B1BCF565@microsoft.com...
> Dear All,
>
> We have a requirement in our organisation that all the application and
> internet facing servers in the organisation should be the part of Active
> Directory Domain. We have many servers in DMZ zones and the Domain
> controllers are there in LAN zone. We need to have all the DMZ servers to
> be
> authenticated to Active Directory but we cannot open and Firewall port. So
> we
> cannot go for IPSEC.
>
> I would request all to help me in this regard as to if ADFS or ADAM can
> help
> me with the same. If any other solution is there please let me know.
>
> Thanks and Regards
>
> Sukhwinder Singh
>

Paul Bergson [MVP-DS] · 17-11-2008

Hello Sukhwinder,
If you can't open up any ports, how can you expect to communicate? This
isn't a reasonable approach, if you need access to internal info then there
are ports that will have to be opened.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This posting
is provided "AS IS" with no warranties, and confers no rights.

> Dear All,
>
> We have a requirement in our organisation that all the application and
> internet facing servers in the organisation should be the part of
> Active Directory Domain. We have many servers in DMZ zones and the
> Domain controllers are there in LAN zone. We need to have all the DMZ
> servers to be authenticated to Active Directory but we cannot open and
> Firewall port. So we cannot go for IPSEC.
>
> I would request all to help me in this regard as to if ADFS or ADAM
> can help me with the same. If any other solution is there please let
> me know.
>
> Thanks and Regards
>
> Sukhwinder Singh
>

Merddyin · 18-11-2008

As Augusto points out, ISA can be a very helpful way of helping you
allow secure access for your DMZ systems. That being said, however,
ISA can help in other ways even better such as potentially eliminating
the need to have servers in your DMZ at all (depending on the services
rendered). At a prior company I worked at, we had a lot of web servers
in our DMZ. These sites used a bunch of back end SQL databases as well
as some integrating with AD for authentication. The organization was a
health care company and was working to become HIPPA compliant which
meant the holes in the firewall to allow this had to go. The solution
for us was moving these servers into the clean internal network and
publishing the sites forward with ISA Server 2004. The reason this
passed all the audits is that there were now NO holes in the firewall
at all. ISA, which is an edge class firewall product, never allows
direct access to the web servers. Instead, when a request is made and
after all the firewall checks are passed, ISA performs the request on
behalf of the user and caches the response before displaying the
resulting page to the original requestor. The user is never on the
internal network, yet the web server is and is unfettered when
accessing domain based resources since it is inside the firewall. Best
of both worlds.

When I mentioned the 'depending on the services rendered', I was
referring to the fact that this doesn't work for all services since a
goodly number of protocols do not tolerate proxying well. For example
SSH and RSH do not proxy and, therefore, when using ISA to publish
these services the traffic is actually passed to the server. This is
not to say the connection is not secured, merely that it is not
proxied. ISA still performs a full application aware stateful packet
inspection of the traffic in addition to a plethora of firewall logic
(is the traffic using the right host name/ip/protocol/etc) before
being passed in. You can even pre-authenticate most traffic. ISA also
speaks the language of the applications better than a lot of more
traditional firewalls (even those that do perform application aware
stateful packet inspection) allowing ISA to provide even better
security. ISA knows, for example, not just that the packet is a
properly formed HTTP packet coming in on the right port, it knows if
that HTTP packet is trying to do something it's not supposed to, like
attack an IIS server using a HTTP based exploit. Since the packet is,
in point of fact, a valid HTTP packet performing valid HTTP functions,
most application aware stateful packet inspection firewalls will allow
it to pass, but ISA can be configured to look for this signature and
block it whenever it is detected...something the majority of hardware
firewalls can only do in limited capacity. And since it's a software
firewall, it can be adapted on the fly for new threats rather than
having to wait for the vendor to provide updated code. Can't beat
that!

Anyway, I hope this information helps.

Chris

Jorge de Almeida Pinto [MVP - DS] · 30-11-2008

why not create a separate forest for the DMZ servers?

or if you are using w2k8, introducing read-only DCs might be an option for
you to extend the internet forest/domain into the DMZ

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Sukhwinder Singh" <SukhwinderSingh@discussions.microsoft.com> wrote in
message news:F2A2EB50-93E4-43B0-BD50-4401B1BCF565@microsoft.com...
> Dear All,
>
> We have a requirement in our organisation that all the application and
> internet facing servers in the organisation should be the part of Active
> Directory Domain. We have many servers in DMZ zones and the Domain
> controllers are there in LAN zone. We need to have all the DMZ servers to
> be
> authenticated to Active Directory but we cannot open and Firewall port. So
> we
> cannot go for IPSEC.
>
> I would request all to help me in this regard as to if ADFS or ADAM can
> help
> me with the same. If any other solution is there please let me know.
>
> Thanks and Regards
>
> Sukhwinder Singh
>