[ previous ] [ next ] [ threads ]
 
 From:  "Jared Patterson \(DSL AK\)" <JaredP at datacom dot co dot nz>
 To:  "Jonathan De Graeve" <jonathan dot de dot graeve at imelda dot be>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Having a domain member running in a DMZ
 Date:  Mon, 27 Jun 2005 11:11:48 +1200
So then what do you offer when running ASP.NET websites and company
portals based on Active Directory authentication???

-----Original Message-----
From: Jonathan De Graeve [mailto:jonathan dot de dot graeve at imelda dot be] 
Sent: Monday, 27 June 2005 10:21
To: Jared Patterson (DSL AK)
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Having a domain member running in a DMZ

Recommendation:

Never put servers that need Active Directory access in a DMZ.

Use different methods to access and protect that server

Kind Regards


--
Jonathan De Graeve
System/Network Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
jonathan dot de dot graeve at imelda dot be
----- Original Message ----- 
From: "Jared Patterson (DSL AK)" <JaredP at datacom dot co dot nz>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Sunday, June 26, 2005 11:18 PM
Subject: [m0n0wall] Having a domain member running in a DMZ


Hi All,

 

Im running a web server in a DMZ zone which is a domain member server.
What im trying to find out is exactly what ports to Nat through to the
Lan subnet so that it can login and use Active Directory etc properly.
These are the ports I have nated through;

 

Service

Port/protocol

RPC endpoint mapper

135/tcp, 135/udp

RPC static port for Active Directory replication

See Appendix D

Kerberos

88/tcp, 88/udp

LDAP

389/tcp

LDAP over SSL

636/tcp

Global Catalog LDAP

3268/tcp

Global Catalog LDAP over SSL

3269/tcp

SMB over IP (Microsoft-DS)

445/tcp, 445/udp

DNS

53/tcp, 53/udp

Network Time Protocol (NTP)

123/udp

Other non-AD network ports used:

 

NetBIOS name service

137/tcp, 137/udp

NetBIOS datagram service

138/udp

NetBIOS session service

139/tcp

 

The following table describes other non-AD network ports that are used.

Service

Port/protocol

NetBIOS name service

137/tcp, 137/udp

NetBIOS datagram service

138/udp

NetBIOS session service

139/tcp

 

Plus on the Web server in the DMZ, I have locked Dynamic RPC ports to
100 designated between 5020-5120. I have also enabled RDP on 3500 and
allowed this through. 

 

I know that when I try to login through terminal services, it reports
the error - The specified domain does not exist after I put in my login
details.

 

Does anyone know the correct configuration for this setup??

 

Cheers

 

Jared