| Author | Messages | |
boulware_jason
Posts:2
 | | 09/07/2005 3:28 AM |
| We are putting a MS sharepoint server in the DMZ and need to have it on the
domain and communicating with a SQL server on the domain. Because of these
needs, we only want to open the minimum number of ports to get
functionality. We have LDAP (389) opened and SQL (1433) opened. What other
ports will we need to open to be able to log in on the sharepoint server
with a domain account? Currently, with only these two ports opened, a
domain account can't log on to the sharepoint server in the DMZ.
Any help is MUCH appreciated.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000928
Posts:0
| | 09/07/2005 3:55 AM |
| Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on the
> domain and communicating with a SQL server on the domain. Because of these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433) opened. What other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| boulware_jason
Posts:2
| | 09/07/2005 4:06 AM |
| Because this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To:
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B wrote:
We are putting a MS sharepoint server in the DMZ and need to have it on
the
domain and communicating with a SQL server on the domain. Because of
these
needs, we only want to open the minimum number of ports to get
functionality. We have LDAP (389) opened and SQL (1433) opened. What
other
ports will we need to open to be able to log in on the sharepoint server
with a domain account? Currently, with only these two ports opened, a
domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| prenouf
Posts:1
| | 09/07/2005 4:22 AM |
| If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's. That leaves you only needing the IPSec port open and not the very large number of ports to support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B wrote:
Because this will be a sharepoint server for clients. Regardless, thatdecision has already been made and I don't have any input into it.
Any info on the ports I'd need open?----- Original Message -----From: "ASB" To: Sent: Wednesday, September 07, 2005 8:45 AMSubject: Re: [ActiveDir] Which ports to open in the DMZ to communicate withAD & SQL...Why did you decide to put it in the DMZ?
-ASBOn 9/7/05, Jason B wrote:> We are putting a MS sharepoint server in the DMZ and need to have it on> the
> domain and communicating with a SQL server on the domain. Because of> these> needs, we only want to open the minimum number of ports to get> functionality. We have LDAP (389) opened and SQL (1433) opened. What
> other> ports will we need to open to be able to log in on the sharepoint server> with a domain account? Currently, with only these two ports opened, a> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Alm@xxxx.yyy
| | 09/07/2005 4:34 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Jason B
Sent: Wed 9/7/2005 12:05 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Because this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To:
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433) opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| boulware_jason
Posts:2
| | 09/07/2005 4:59 AM |
| I appreciate the replies... IPSec might be the way to go.
The problem with self-containing all the services is that the SQL server
that sharepoint needs to use is a DB that is also used internally - we need
to share this DB and some of the files with clients. I think a better
approach might be to use a combination of the two... putting the sharepoint
server in a new AD forest and just opening one port - 1433 - from the
sharepoint server in the DMZ to the SQL server in the LAN...
----- Original Message -----
From: "Al Mulnick"
To:
Sent: Wednesday, September 07, 2005 9:28 AM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
what you're doing is a horribly bad idea from a security
perspective
You might have better luck setting up an IPSec tunnel from the DMZ host to
the internal domain controllers, DNS servers (if different) and the SQL
machine. You'd be even better off if you made it self-contained. That is,
installed sharepoint, sql, AD on the same machine as a separate forest.
This came from a MOM agent in a DMZ scenario kb article and is essentially
the same for most of it.
http://support.microsoft.com/default.aspx?scid=kb;en-us;904866
Basically, you'll need the same ports because you want this to be a member
of the domain. From there, you'll have to trace the calls from startup to
completion to ensure you have all of the allow rules you need for your
specific implementation.
UDP port 53 to support Domain Name System (DNS) queries and dynamic
registrations
UDP port 88 to support Kerberos
UDP port 123 to support Network Time Protocol (NTP)
TCP port 135 to support remote procedure calls (RPC)
UDP port 389 and TCP port 389 to support Lightweight Directory Access
Protocol (LDAP)
TCP port 445 to support server message block (SMB)
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Jason B
Sent: Wed 9/7/2005 12:05 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Because this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To:
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B wrote:
We are putting a MS sharepoint server in the DMZ and need to have it on
the
domain and communicating with a SQL server on the domain. Because of
these
needs, we only want to open the minimum number of ports to get
functionality. We have LDAP (389) opened and SQL (1433) opened. What
other
ports will we need to open to be able to log in on the sharepoint server
with a domain account? Currently, with only these two ports opened, a
domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| bdesmond
Posts:346
| | 09/07/2005 5:24 AM |
| Agreed.
In any case, you'll want to add to that list of ports 3268 for Global
Catalog, your DCOM range, and if you have a CA deployed, 636 and 3269 for
SSL LDAP and GC.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
Sent: Wednesday, September 07, 2005 12:58 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
I appreciate the replies... IPSec might be the way to go.
The problem with self-containing all the services is that the SQL server
that sharepoint needs to use is a DB that is also used internally - we need
to share this DB and some of the files with clients. I think a better
approach might be to use a combination of the two... putting the sharepoint
server in a new AD forest and just opening one port - 1433 - from the
sharepoint server in the DMZ to the SQL server in the LAN...
----- Original Message -----
From: "Al Mulnick"
To:
Sent: Wednesday, September 07, 2005 9:28 AM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
what you're doing is a horribly bad idea from a security
perspective
You might have better luck setting up an IPSec tunnel from the DMZ host to
the internal domain controllers, DNS servers (if different) and the SQL
machine. You'd be even better off if you made it self-contained. That is,
installed sharepoint, sql, AD on the same machine as a separate forest.
This came from a MOM agent in a DMZ scenario kb article and is essentially
the same for most of it.
http://support.microsoft.com/default.aspx?scid=kb;en-us;904866
Basically, you'll need the same ports because you want this to be a member
of the domain. From there, you'll have to trace the calls from startup to
completion to ensure you have all of the allow rules you need for your
specific implementation.
UDP port 53 to support Domain Name System (DNS) queries and dynamic
registrations
UDP port 88 to support Kerberos
UDP port 123 to support Network Time Protocol (NTP)
TCP port 135 to support remote procedure calls (RPC)
UDP port 389 and TCP port 389 to support Lightweight Directory Access
Protocol (LDAP)
TCP port 445 to support server message block (SMB)
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Jason B
Sent: Wed 9/7/2005 12:05 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Because this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To:
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433) opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Alm@xxxx.yyy
| | 09/07/2005 6:27 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Brian Desmond
Sent: Wed 9/7/2005 1:22 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Agreed.
In any case, you'll want to add to that list of ports 3268 for Global
Catalog, your DCOM range, and if you have a CA deployed, 636 and 3269 for
SSL LDAP and GC.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
Sent: Wednesday, September 07, 2005 12:58 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
I appreciate the replies... IPSec might be the way to go.
The problem with self-containing all the services is that the SQL server
that sharepoint needs to use is a DB that is also used internally - we need
to share this DB and some of the files with clients. I think a better
approach might be to use a combination of the two... putting the sharepoint
server in a new AD forest and just opening one port - 1433 - from the
sharepoint server in the DMZ to the SQL server in the LAN...
----- Original Message -----
From: "Al Mulnick"
To:
Sent: Wednesday, September 07, 2005 9:28 AM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
what you're doing is a horribly bad idea from a security
perspective
You might have better luck setting up an IPSec tunnel from the DMZ host to
the internal domain controllers, DNS servers (if different) and the SQL
machine. You'd be even better off if you made it self-contained. That is,
installed sharepoint, sql, AD on the same machine as a separate forest.
This came from a MOM agent in a DMZ scenario kb article and is essentially
the same for most of it.
http://support.microsoft.com/default.aspx?scid=kb;en-us;904866
Basically, you'll need the same ports because you want this to be a member
of the domain. From there, you'll have to trace the calls from startup to
completion to ensure you have all of the allow rules you need for your
specific implementation.
UDP port 53 to support Domain Name System (DNS) queries and dynamic
registrations
UDP port 88 to support Kerberos
UDP port 123 to support Network Time Protocol (NTP)
TCP port 135 to support remote procedure calls (RPC)
UDP port 389 and TCP port 389 to support Lightweight Directory Access
Protocol (LDAP)
TCP port 445 to support server message block (SMB)
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Jason B
Sent: Wed 9/7/2005 12:05 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Because this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To:
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433) opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| AD00000928
Posts:0
| | 09/07/2005 8:24 AM |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Regardless, that decision has already been made and I don't have any
input into it.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I think you should make an attempt to point out the precarious
location of this server, since security appears to be a concern.
You'll have more holes open in the firewall to address this box where
it is, than you'd have to have if the box were inside.
If you want domain logon capabilities, then you need to allow SMB
traffic (TCP 445), DNS and Kerberos, among others -- and I would deem
that highly inadvisable.
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On 9/7/05, Jason B wrote:
> Because this will be a sharepoint server for clients. Regardless, that
> decision has already been made and I don't have any input into it.
> Any info on the ports I'd need open?
>
> ----- Original Message -----
> From: "ASB"
> To:
> Sent: Wednesday, September 07, 2005 8:45 AM
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
> AD & SQL...
>
>
> Why did you decide to put it in the DMZ?
>
> -ASB
>
> On 9/7/05, Jason B wrote:
> > We are putting a MS sharepoint server in the DMZ and need to have it on
> > the
> > domain and communicating with a SQL server on the domain. Because of
> > these
> > needs, we only want to open the minimum number of ports to get
> > functionality. We have LDAP (389) opened and SQL (1433) opened. What
> > other
> > ports will we need to open to be able to log in on the sharepoint server
> > with a domain account? Currently, with only these two ports opened, a
> > domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| TonyTest
Posts:0
| | 09/07/2005 9:26 AM |
| > If
you absolutely HAVE to then I would prefer to look at using IPSec for
communication between the Sharepoint box and your
DC's
IPSec would be good, but it isn't supported between member
servers and DCs.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil
RenoufSent: Thursday, 8 September 2005 4:20 a.m.To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Which ports to
open in the DMZ to communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network and
deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to
get your external clients access to the site. If you want to open access from
the DMZ to your AD Forest your firewall will be swiss cheese from all the ports
than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec for
communication between the Sharepoint box and your DC's. That leaves you only
needing the IPSec port open and not the very large number of ports to support AD
communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B
boulware_jason@xxxxxxxxxxx>
wrote:
Because
this will be a sharepoint server for clients. Regardless,
thatdecision has already been made and I don't have any input into it.
Any info on the ports I'd need open?----- Original Message
-----From: "ASB" abaker@xxxxxxxxx>To:
ActiveDir@xxxxxxxxxxxxxxxxxx>Sent: Wednesday, September 07, 2005
8:45 AMSubject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate withAD & SQL...Why did you decide to put it in
the DMZ? -ASBOn 9/7/05, Jason B boulware_jason@xxxxxxxxxxx>
wrote:> We are putting a MS sharepoint server in the DMZ and need to
have it on> the> domain and communicating with a SQL server on
the domain. Because of> these> needs, we only want to
open the minimum number of ports to get> functionality. We
have LDAP (389) opened and SQL (1433) opened. What >
other> ports will we need to open to be able to log in on the
sharepoint server> with a domain account? Currently, with
only these two ports opened, a> domain account can't log on to the
sharepoint server in the DMZ. List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i Limited | | | |
| prenouf
Posts:1
| | 09/07/2005 11:03 AM |
| > If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's
IPSec would be good, but it isn't supported between member servers and DCs.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil RenoufSent: Thursday, 8 September 2005 4:20 a.m.To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to get your external clients access to the site. If you want to open access from the DMZ to your AD Forest your firewall will be swiss cheese from all the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's. That leaves you only needing the IPSec port open and not the very large number of ports to support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B wrote:
Because this will be a sharepoint server for clients. Regardless, thatdecision has already been made and I don't have any input into it.
Any info on the ports I'd need open?----- Original Message -----From: "ASB" To: Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate withAD & SQL...Why did you decide to put it in the DMZ? -ASBOn 9/7/05, Jason B wrote:> We are putting a MS sharepoint server in the DMZ and need to have it on> the> domain and communicating with a SQL server on the domain. Because of> these
> needs, we only want to open the minimum number of ports to get> functionality. We have LDAP (389) opened and SQL (1433) opened. What > other> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports opened, a> domain account can't log on to the sharepoint server in the DMZ. List info :
http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/List info :
http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited | | | |
| aricbernard
Posts:2
| | 09/07/2005 11:42 AM |
| I agree with Phil “ I think using an
ISA (or other reverse proxy solution) is the best way to go given your
constraints.
Using a reverse proxy solution allows you
the following:
Keep
you Sharepoint server behind the firewall, yet make it accessible to external
clients as if it was in the DMZ.
Restrict
your [additional] holes through the firewall to only that needed by the
reverse proxy solution to interact with the Sharepoint server (port 80).
BTW - this scenario is becoming extremely
common. The next common addition you will see to this will likely be the use
of ADFS to provide an identity trust bridge between the internal forest and a
partner forest (or other identity system).
Regards,
Aric Bernard
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, September 07,
2005 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network
and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing
to get your external clients access to the site. If you want to open access from
the DMZ to your AD Forest your firewall will
be swiss cheese from all the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec
for communication between the Sharepoint box and your DC's. That leaves you only
needing the IPSec port open and not the very large number of ports to support
AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B
wrote:
Because this will be a sharepoint server for
clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To:
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B
wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the
domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433)
opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports
opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Alm@xxxx.yyy
| | 09/08/2005 2:25 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
Sent: Thu 9/8/2005 1:26 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Yes, in fact I have implemented this (under Windows 2000).
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony Murray
Sent: Wednesday, September 07, 2005 7:44 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Using certificates to allow IPSec between clients/member servers and DCs sounds good. Has anyone actually done this? I'd be interested, as I'm surprised the KB article didn't mention this as an alternative. I've also heard (more than once) some statements from MS people to the effect that "IPSec between member servers and DCs is not supported".
Tony
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Thursday, 8 September 2005 2:30 p.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
That was the way that I understood that paragraph as well.
And to give a little more information about Aric's point on not being able to monitor the traffic between the DMZ host and the DC's; that is why it is important to have an Intrusion Detection/Intrusion Prevention system in place. Even in a small shop this can save you a lot of headaches if properly maintained and will let you monitor for malicious traffic on the DMZ host and the DC's. It is a good way to mitigate many security admins concerns about opening encrypted tunnels through the firewalls.
Phil
On 9/7/05, Bernard, Aric wrote:
The quote relates to when you are using Kerberos as the method to setup the secure connection (ISAKMP). If you use certificated then IPSec can be used end-to-end between clients/member servers and DCs.
Aric
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony Murray
Sent: Wednesday, September 07, 2005 5:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Hi Phil
Here's the text I was referring to:
Currently, we do not support using IPSec to encrypt network traffic from a domain member server to a domain controller when you apply the IPSec policies by using Group Policy or when you use the Kerberos authentication method.
The goal with IPSec is to encrypt the traffic between the two sides and with the scenario described below you would need Kerberos authentication. Or have I missed something?
Tony
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto: ActiveDir-owner@xxxxxxxxxxxxxxxxxx ] On Behalf Of Phil Renouf
Sent: Thursday, 8 September 2005 11:02 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Did I miss something in that article? I don't see where it says client > DC via IPSec is not supported; just that you can't encrypt Kerberos traffic.
Phil
On 9/7/05, Tony Murray > wrote:
> If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's
IPSec would be good, but it isn't supported between member servers and DCs.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
Tony
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto: ActiveDir-owner@xxxxxxxxxxxxxxxxxx ] On Behalf Of Phil Renouf
Sent: Thursday, 8 September 2005 4:20 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to get your external clients access to the site. If you want to open access from the DMZ to your AD Forest your firewall will be swiss cheese from all the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's. That leaves you only needing the IPSec port open and not the very large number of ports to support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B > wrote:
Because this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To: >
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B > wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433) opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
________________________________
This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
________________________________
________________________________
This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
________________________________
________________________________
This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
________________________________
> | | | |
| prenouf
Posts:1
| | 09/08/2005 2:30 AM |
| Phil
On 9/7/05, Bernard, Aric wrote:
The quote relates to when you are using Kerberos as the method to setup the secure connection (ISAKMP). If you use certificated then IPSec can be used end-to-end between clients/member servers and DCs.
Aric
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Tony MurraySent: Wednesday, September 07, 2005 5:24 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Hi Phil
Here's the text I was referring to:
Currently, we do not support using IPSec to encrypt network traffic from a domain member server to a domain controller when you apply the IPSec policies by using Group Policy or when you use the Kerberos authentication method.
The goal with IPSec is to encrypt the traffic between the two sides and with the scenario described below you would need Kerberos authentication. Or have I missed something?
Tony
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil RenoufSent: Thursday, 8 September 2005 11:02 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Did I miss something in that article? I don't see where it says client > DC via IPSec is not supported; just that you can't encrypt Kerberos traffic.
Phil
On 9/7/05, Tony Murray wrote:
> If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's
IPSec would be good, but it isn't supported between member servers and DCs.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
Tony
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto: ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Phil RenoufSent: Thursday, 8 September 2005 4:20 a.m.
To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to get your external clients access to the site. If you want to open access from the DMZ to your AD Forest your firewall will be swiss cheese from all the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's. That leaves you only needing the IPSec port open and not the very large number of ports to support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B wrote:
Because this will be a sharepoint server for clients. Regardless, thatdecision has already been made and I don't have any input into it. Any info on the ports I'd need open?
----- Original Message -----From: "ASB" To: Sent: Wednesday, September 07, 2005 8:45 AM Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate withAD & SQL...Why did you decide to put it in the DMZ?
-ASBOn 9/7/05, Jason B wrote:> We are putting a MS sharepoint server in the DMZ and need to have it on
> the> domain and communicating with a SQL server on the domain. Because of> these > needs, we only want to open the minimum number of ports to get> functionality. We have LDAP (389) opened and SQL (1433) opened. What
> other> ports will we need to open to be able to log in on the sharepoint server > with a domain account? Currently, with only these two ports opened, a> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspxList FAQ :
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i Limited
This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i Limited | | | |
| TonyTest
Posts:0
| | 09/08/2005 2:46 AM |
| Using certificates to allow IPSec
between clients/member servers and DCs sounds good. Has anyone
actually done this? I'd be interested, as I'm surprised the KB article
didn't mention this as an alternative. I've also heard (more than once)
some statements from MS people to the effect that "IPSec between member servers
and DCs is not supported".
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil
RenoufSent: Thursday, 8 September 2005 2:30 p.m.To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Which ports to
open in the DMZ to communicate with AD & SQL...
That was the way that I understood that paragraph as well.
And to give a little more information about Aric's point on not being able
to monitor the traffic between the DMZ host and the DC's; that is why it is
important to have an Intrusion Detection/Intrusion Prevention system in place.
Even in a small shop this can save you a lot of headaches if properly maintained
and will let you monitor for malicious traffic on the DMZ host and the DC's. It
is a good way to mitigate many security admins concerns about opening encrypted
tunnels through the firewalls.
Phil
On 9/7/05, Bernard,
Aric
wrote:
The quote relates to
when you are using Kerberos as the method to setup the secure connection
(ISAKMP). If you use certificated then IPSec can be used end-to-end
between clients/member servers and DCs.
Aric
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony MurraySent: Wednesday, September 07, 2005 5:24
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Which ports to
open in the DMZ to communicate with AD &
SQL...
Hi
Phil
Here's the text I was
referring to:
Currently, we do not support using IPSec
to encrypt network traffic from a domain member server to a domain controller
when you apply the IPSec policies by using Group Policy or when you use the
Kerberos authentication method.
The goal with IPSec
is to encrypt the traffic between the two sides and with the scenario
described below you would need Kerberos authentication. Or have I missed
something?
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Phil RenoufSent: Thursday, 8 September 2005 11:02
a.m.To:
ActiveDir@xxxxxxxxxxxxxxxxxx Subject: Re: [ActiveDir] Which ports to
open in the DMZ to communicate with AD & SQL...
Did I
miss something in that article? I don't see where it says client > DC via
IPSec is not supported; just that you can't encrypt Kerberos traffic.
Phil
On
9/7/05, Tony Murray
Tony.Murray@xxxxxxxxxxx> wrote:
>
If you absolutely
HAVE to then I would prefer to look at using IPSec for communication between
the Sharepoint box and your DC's
IPSec would be good,
but it isn't supported between member servers and DCs.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Phil RenoufSent: Thursday, 8 September 2005 4:20
a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Which ports to
open in the DMZ to communicate with AD &
SQL...
I would
look at putting the Sharepoint server on the internal network and deploy an
ISA server in the DMZ and use Web Publishing or Server Publishing to get your
external clients access to the site. If you want to open access from the DMZ
to your AD Forest your firewall will be swiss cheese from all the ports than
need to be open.
If you
absolutely HAVE to then I would prefer to look at using IPSec for
communication between the Sharepoint box and your DC's. That leaves you only
needing the IPSec port open and not the very large number of ports to support
AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On
9/7/05, Jason B
boulware_jason@xxxxxxxxxxx > wrote:
Because
this will be a sharepoint server for clients. Regardless,
thatdecision has already been made and I don't have any input into it.
Any info on the ports I'd need open? ----- Original Message
-----From: "ASB" abaker@xxxxxxxxx >To:
ActiveDir@xxxxxxxxxxxxxxxxxx>Sent: Wednesday, September 07, 2005
8:45 AM Subject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate withAD & SQL...Why did you decide to put it in
the DMZ? -ASBOn 9/7/05, Jason B
boulware_jason@xxxxxxxxxxx> wrote:> We are putting a MS
sharepoint server in the DMZ and need to have it on > the>
domain and communicating with a SQL server on the domain. Because
of> these > needs, we only want to open the minimum number of
ports to get> functionality. We have LDAP (389) opened and
SQL (1433) opened. What > other> ports will we need
to open to be able to log in on the sharepoint server > with a domain
account? Currently, with only these two ports opened, a>
domain account can't log on to the sharepoint server in the DMZ. List
info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx List
FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This
e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i
Limited
This
e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i
Limited
This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i Limited | | | |
| aricbernard
Posts:2
| | 09/08/2005 5:29 AM |
| Yes, in fact I have implemented this
(under Windows 2000).
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony Murray
Sent: Wednesday, September 07,
2005 7:44 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
Using certificates to allow IPSec
between clients/member servers and DCs sounds good. Has anyone
actually done this? I'd be interested, as I'm surprised the KB article
didn't mention this as an alternative. I've also heard (more than once)
some statements from MS people to the effect that "IPSec between member
servers and DCs is not supported".
Tony
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Thursday, 8 September 2005
2:30 p.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
That was the way that I understood that paragraph as well.
And to give a little more information about Aric's point on not being
able to monitor the traffic between the DMZ host and the DC's; that is why it
is important to have an Intrusion Detection/Intrusion Prevention system in
place. Even in a small shop this can save you a lot of headaches if properly
maintained and will let you monitor for malicious traffic on the DMZ host and
the DC's. It is a good way to mitigate many security admins concerns about
opening encrypted tunnels through the firewalls.
Phil
On 9/7/05, Bernard,
Aric
wrote:
The quote relates to when you are using Kerberos as the
method to setup the secure connection (ISAKMP). If you use certificated
then IPSec can be used end-to-end between clients/member servers and DCs.
Aric
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Tony Murray
Sent: Wednesday, September 07,
2005 5:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE:
[ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Hi Phil
Here's the text I was referring to:
Currently, we do not support using IPSec to encrypt network
traffic from a domain member server to a domain controller when you apply the
IPSec policies by using Group Policy or when you use the Kerberos
authentication method.
The goal with IPSec is to encrypt the traffic between the two
sides and with the scenario described below you would need Kerberos
authentication. Or have I missed something?
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Phil Renouf
Sent: Thursday, 8
September 2005 11:02 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re:
[ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Did I
miss something in that article? I don't see where it says client > DC via
IPSec is not supported; just that you can't encrypt Kerberos traffic.
Phil
On
9/7/05, Tony Murray Tony.Murray@xxxxxxxxxxx>
wrote:
> If
you absolutely HAVE to then I would prefer to look at using IPSec for
communication between the Sharepoint box and your DC's
IPSec would be good, but it isn't supported between member
servers and DCs.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Phil Renouf
Sent: Thursday, 8
September 2005 4:20 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re:
[ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
I would look
at putting the Sharepoint server on the internal network and deploy an ISA
server in the DMZ and use Web Publishing or Server Publishing to get your
external clients access to the site. If you want to open access from the DMZ to
your AD Forest your firewall will be swiss
cheese from all the ports than need to be open.
If you
absolutely HAVE to then I would prefer to look at using IPSec for communication
between the Sharepoint box and your DC's. That leaves you only needing the
IPSec port open and not the very large number of ports to support AD
communication.
http://support.microsoft.com/kb/q179442/
Phil
On
9/7/05, Jason B
boulware_jason@xxxxxxxxxxx > wrote:
Because
this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To:
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B boulware_jason@xxxxxxxxxxx> wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the
domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433)
opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports
opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This
e-mail message has been scanned for Viruses and Content and cleared by NetIQ
MailMarshal at Gen-i Limited
This
e-mail message has been scanned for Viruses and Content and cleared by NetIQ
MailMarshal at Gen-i Limited
This e-mail message has been scanned for Viruses and Content and
cleared by NetIQ MailMarshal at Gen-i Limited | | | |
| boulware_jason
Posts:2
| | 09/08/2005 8:38 AM |
| This has been a GREAT discussion and I have received a lot of useful info.
I really appreciate the replies, suggestions, slams and help. I think I am
going to revisit trying to have the sharepoint server moved to the LAN and
see if I can't convince the powers that be to apportion an ISA license and
hardware appropriate for running ISA to put on the DMZ. We already have a
sharepoint server on the LAN... I am not too familiar with sharepoint, but
I wonder if the existing sharepoint server can handle both the internal and
external users... That's a question for another group, I guess.
Anyway, I gathered quite a bit from the posts and discussion, but what are
the main specific and concrete points that I am going to want to bring up to
dissuade them from having the sharepoint server on the DMZ? My expertiese
isn't in the hardware/networking aspect of configuration, but I know enough
that I am not comfortable opening all the ports for AD auth from the DMZ to
the LAN. Our network admin didn't think that it was a big deal to open the
ports since it was "only on the DMZ" and he could control the traffic that
was allowed to the DMZ.
----- Original Message -----
From: "Al Mulnick"
To:
Sent: Wednesday, September 07, 2005 5:04 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Looks like we have plenty of ideas and opinions ;)
ISA is a great way to deal with this, but I believe the decision was made to
put the SP machine in the DMZ regardless of the technical merit or
viability. And whether or not it is a good idea. That said, ISA doesn't
offer much if you put it AND this machine in a semi-trusted network (for
whatever that means these days.)
Shame there's no leeway though. The downside to using IPSec is that as
others have pointed out, it won't work on member server DC for W2K
servers (limitation of the OS) but will for 2K3 member servers but that
still leaves you with a secure channel from the DMZ host to your internal
network. That means you can't monitor the traffic from the DMZ to your
internal network because it's encrypted (sounds like a broken record, I
know.)
Too bad you can't sway the decision makers to do this differently. But
hopefully you've received a lot of ideas to pick from.
Best of luck,
Al
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
Sent: Wed 9/7/2005 7:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
I agree with Phil - I think using an ISA (or other reverse proxy solution)
is the best way to go given your constraints.
Using a reverse proxy solution allows you the following:
1. Keep you Sharepoint server behind the firewall, yet make it accessible to
external clients as if it was in the DMZ.
2. Restrict your [additional] holes through the firewall to only that needed
by the reverse proxy solution to interact with the Sharepoint server (port
80).
BTW - this scenario is becoming extremely common. The next common addition
you will see to this will likely be the use of ADFS to provide an identity
trust bridge between the internal forest and a partner forest (or other
identity system).
Regards,
Aric Bernard
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, September 07, 2005 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
I would look at putting the Sharepoint server on the internal network and
deploy an ISA server in the DMZ and use Web Publishing or Server Publishing
to get your external clients access to the site. If you want to open access
from the DMZ to your AD Forest your firewall will be swiss cheese from all
the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec for
communication between the Sharepoint box and your DC's. That leaves you only
needing the IPSec port open and not the very large number of ports to
support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B wrote:
Because this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To: >
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B wrote:
We are putting a MS sharepoint server in the DMZ and need to have it on
the
domain and communicating with a SQL server on the domain. Because of
these
needs, we only want to open the minimum number of ports to get
functionality. We have LDAP (389) opened and SQL (1433) opened. What
other
ports will we need to open to be able to log in on the sharepoint server
with a domain account? Currently, with only these two ports opened, a
domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Alm@xxxx.yyy
| | 09/08/2005 10:11 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Jason B
Sent: Thu 9/8/2005 4:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
This has been a GREAT discussion and I have received a lot of useful info.
I really appreciate the replies, suggestions, slams and help. I think I am
going to revisit trying to have the sharepoint server moved to the LAN and
see if I can't convince the powers that be to apportion an ISA license and
hardware appropriate for running ISA to put on the DMZ. We already have a
sharepoint server on the LAN... I am not too familiar with sharepoint, but
I wonder if the existing sharepoint server can handle both the internal and
external users... That's a question for another group, I guess.
Anyway, I gathered quite a bit from the posts and discussion, but what are
the main specific and concrete points that I am going to want to bring up to
dissuade them from having the sharepoint server on the DMZ? My expertiese
isn't in the hardware/networking aspect of configuration, but I know enough
that I am not comfortable opening all the ports for AD auth from the DMZ to
the LAN. Our network admin didn't think that it was a big deal to open the
ports since it was "only on the DMZ" and he could control the traffic that
was allowed to the DMZ.
----- Original Message -----
From: "Al Mulnick"
To:
Sent: Wednesday, September 07, 2005 5:04 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Looks like we have plenty of ideas and opinions ;)
ISA is a great way to deal with this, but I believe the decision was made to
put the SP machine in the DMZ regardless of the technical merit or
viability. And whether or not it is a good idea. That said, ISA doesn't
offer much if you put it AND this machine in a semi-trusted network (for
whatever that means these days.)
Shame there's no leeway though. The downside to using IPSec is that as
others have pointed out, it won't work on member server DC for W2K
servers (limitation of the OS) but will for 2K3 member servers but that
still leaves you with a secure channel from the DMZ host to your internal
network. That means you can't monitor the traffic from the DMZ to your
internal network because it's encrypted (sounds like a broken record, I
know.)
Too bad you can't sway the decision makers to do this differently. But
hopefully you've received a lot of ideas to pick from.
Best of luck,
Al
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
Sent: Wed 9/7/2005 7:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
I agree with Phil - I think using an ISA (or other reverse proxy solution)
is the best way to go given your constraints.
Using a reverse proxy solution allows you the following:
1. Keep you Sharepoint server behind the firewall, yet make it accessible to
external clients as if it was in the DMZ.
2. Restrict your [additional] holes through the firewall to only that needed
by the reverse proxy solution to interact with the Sharepoint server (port
80).
BTW - this scenario is becoming extremely common. The next common addition
you will see to this will likely be the use of ADFS to provide an identity
trust bridge between the internal forest and a partner forest (or other
identity system).
Regards,
Aric Bernard
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, September 07, 2005 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
I would look at putting the Sharepoint server on the internal network and
deploy an ISA server in the DMZ and use Web Publishing or Server Publishing
to get your external clients access to the site. If you want to open access
from the DMZ to your AD Forest your firewall will be swiss cheese from all
the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec for
communication between the Sharepoint box and your DC's. That leaves you only
needing the IPSec port open and not the very large number of ports to
support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B wrote:
Because this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To: >
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433) opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| bdesmond
Posts:346
| | 09/08/2005 10:17 AM |
| I am, perhaps unfortunately, quite familiar with Sharepoint.
Your sharepoint server like any other member server can be a member of one
domain. If your extranet users are in a domain trusted by the server's
domain or another domain in the forest, you can just service them with
multiple portals. You can have up to I think its 50 portals per frontend. Of
course, I don't really recommend having your extranet accounts in your corp
forest...
I used to have my sharepoint environment sitting in a "DMZ" subnet. It was
hell dealing with the spaghetti mess of ports on the checkpoints. Now we
have this special subnet that the WAN people call the AD Load Balanced
subnet. It's a class C that sits on the Cisco CSM and SSM modules in a
couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and they
have all the ports for domain joined machines open from that subnet to the
DCs. It's actually pretty easy. The Windows folks gave the WAN folks a
comprehensive list of ports that need to be open for AD, a/v, mgmt, etc, and
they made PIX and Checkpoint rules for that subnet. Now when we need to load
balance anything domain joined, the servers just go in this subnet, they
setup the CSMs, and then the firewall people just have to add additional
special rules (like connecting to SQL, for example).
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
Sent: Thursday, September 08, 2005 4:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
This has been a GREAT discussion and I have received a lot of useful info.
I really appreciate the replies, suggestions, slams and help. I think I am
going to revisit trying to have the sharepoint server moved to the LAN and
see if I can't convince the powers that be to apportion an ISA license and
hardware appropriate for running ISA to put on the DMZ. We already have a
sharepoint server on the LAN... I am not too familiar with sharepoint, but
I wonder if the existing sharepoint server can handle both the internal and
external users... That's a question for another group, I guess.
Anyway, I gathered quite a bit from the posts and discussion, but what are
the main specific and concrete points that I am going to want to bring up to
dissuade them from having the sharepoint server on the DMZ? My expertiese
isn't in the hardware/networking aspect of configuration, but I know enough
that I am not comfortable opening all the ports for AD auth from the DMZ to
the LAN. Our network admin didn't think that it was a big deal to open the
ports since it was "only on the DMZ" and he could control the traffic that
was allowed to the DMZ.
----- Original Message -----
From: "Al Mulnick"
To:
Sent: Wednesday, September 07, 2005 5:04 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Looks like we have plenty of ideas and opinions ;)
ISA is a great way to deal with this, but I believe the decision was made to
put the SP machine in the DMZ regardless of the technical merit or
viability. And whether or not it is a good idea. That said, ISA doesn't
offer much if you put it AND this machine in a semi-trusted network (for
whatever that means these days.)
Shame there's no leeway though. The downside to using IPSec is that as
others have pointed out, it won't work on member server DC for W2K
servers (limitation of the OS) but will for 2K3 member servers but that
still leaves you with a secure channel from the DMZ host to your internal
network. That means you can't monitor the traffic from the DMZ to your
internal network because it's encrypted (sounds like a broken record, I
know.)
Too bad you can't sway the decision makers to do this differently. But
hopefully you've received a lot of ideas to pick from.
Best of luck,
Al
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
Sent: Wed 9/7/2005 7:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
I agree with Phil - I think using an ISA (or other reverse proxy solution)
is the best way to go given your constraints.
Using a reverse proxy solution allows you the following:
1. Keep you Sharepoint server behind the firewall, yet make it accessible to
external clients as if it was in the DMZ.
2. Restrict your [additional] holes through the firewall to only that needed
by the reverse proxy solution to interact with the Sharepoint server (port
80).
BTW - this scenario is becoming extremely common. The next common addition
you will see to this will likely be the use of ADFS to provide an identity
trust bridge between the internal forest and a partner forest (or other
identity system).
Regards,
Aric Bernard
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, September 07, 2005 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
I would look at putting the Sharepoint server on the internal network and
deploy an ISA server in the DMZ and use Web Publishing or Server Publishing
to get your external clients access to the site. If you want to open access
from the DMZ to your AD Forest your firewall will be swiss cheese from all
the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec for
communication between the Sharepoint box and your DC's. That leaves you only
needing the IPSec port open and not the very large number of ports to
support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B wrote:
Because this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To: >
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433) opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| boulware_jason
Posts:2
| | 09/08/2005 10:57 AM |
| Al, Brian and others - thanks!
I wasn't involved in the original plan for setting this extranet up, but
overheard talk about it and didn't like the plans everyone else was making
for my AD infrastructure. So I jumped into the fray after all the decisions
had been made and hardware/software purchased, but better late than never.
Originally, they wanted it set up with the SP server in the DMZ and ports
opened to the LAN to "make it work" talking to SQL and AD. The plan had
them putting extranet users and clients in our internal AD domain and giving
non-technical employees the ability to add/remove clients from an OU. Bad
mojo.
I was able to convince them to allow me to set up the SP server as a DC in a
new forest so as to avoid putting the extranet users in our AD domain. That
was the "easy" part. Another SQL license is definitely not in the budget,
so that was an easy decision. Now, I am going to try to convince them to
move the SP server into the LAN side, close the ports from the DMZ to LAN
and throw ISA server in the DMZ to serve up the extranet clients. I think I
can get them to go for it with some doom and gloom scenarios.
Again, thanks for the suggestions and advice.
--Jason
----- Original Message -----
From: "Brian Desmond"
To:
Sent: Thursday, September 08, 2005 3:14 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
I am, perhaps unfortunately, quite familiar with Sharepoint.
Your sharepoint server like any other member server can be a member of one
domain. If your extranet users are in a domain trusted by the server's
domain or another domain in the forest, you can just service them with
multiple portals. You can have up to I think its 50 portals per frontend.
Of
course, I don't really recommend having your extranet accounts in your
corp
forest...
I used to have my sharepoint environment sitting in a "DMZ" subnet. It was
hell dealing with the spaghetti mess of ports on the checkpoints. Now we
have this special subnet that the WAN people call the AD Load Balanced
subnet. It's a class C that sits on the Cisco CSM and SSM modules in a
couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and they
have all the ports for domain joined machines open from that subnet to the
DCs. It's actually pretty easy. The Windows folks gave the WAN folks a
comprehensive list of ports that need to be open for AD, a/v, mgmt, etc,
and
they made PIX and Checkpoint rules for that subnet. Now when we need to
load
balance anything domain joined, the servers just go in this subnet, they
setup the CSMs, and then the firewall people just have to add additional
special rules (like connecting to SQL, for example).
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
Sent: Thursday, September 08, 2005 4:37 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
with
AD & SQL...
This has been a GREAT discussion and I have received a lot of useful info.
I really appreciate the replies, suggestions, slams and help. I think I
am
going to revisit trying to have the sharepoint server moved to the LAN and
see if I can't convince the powers that be to apportion an ISA license and
hardware appropriate for running ISA to put on the DMZ. We already have a
sharepoint server on the LAN... I am not too familiar with sharepoint,
but
I wonder if the existing sharepoint server can handle both the internal
and
external users... That's a question for another group, I guess.
Anyway, I gathered quite a bit from the posts and discussion, but what are
the main specific and concrete points that I am going to want to bring up
to
dissuade them from having the sharepoint server on the DMZ? My expertiese
isn't in the hardware/networking aspect of configuration, but I know
enough
that I am not comfortable opening all the ports for AD auth from the DMZ
to
the LAN. Our network admin didn't think that it was a big deal to open
the
ports since it was "only on the DMZ" and he could control the traffic that
was allowed to the DMZ.
----- Original Message -----
From: "Al Mulnick"
To:
Sent: Wednesday, September 07, 2005 5:04 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
with
AD & SQL...
Looks like we have plenty of ideas and opinions ;)
ISA is a great way to deal with this, but I believe the decision was made
to
put the SP machine in the DMZ regardless of the technical merit or
viability. And whether or not it is a good idea. That said, ISA doesn't
offer much if you put it AND this machine in a semi-trusted network (for
whatever that means these days.)
Shame there's no leeway though. The downside to using IPSec is that as
others have pointed out, it won't work on member server DC for W2K
servers (limitation of the OS) but will for 2K3 member servers but that
still leaves you with a secure channel from the DMZ host to your internal
network. That means you can't monitor the traffic from the DMZ to your
internal network because it's encrypted (sounds like a broken record, I
know.)
Too bad you can't sway the decision makers to do this differently. But
hopefully you've received a lot of ideas to pick from.
Best of luck,
Al
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
Sent: Wed 9/7/2005 7:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
with
AD & SQL...
I agree with Phil - I think using an ISA (or other reverse proxy solution)
is the best way to go given your constraints.
Using a reverse proxy solution allows you the following:
1. Keep you Sharepoint server behind the firewall, yet make it accessible
to
external clients as if it was in the DMZ.
2. Restrict your [additional] holes through the firewall to only that
needed
by the reverse proxy solution to interact with the Sharepoint server (port
80).
BTW - this scenario is becoming extremely common. The next common
addition
you will see to this will likely be the use of ADFS to provide an identity
trust bridge between the internal forest and a partner forest (or other
identity system).
Regards,
Aric Bernard
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, September 07, 2005 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
with
AD & SQL...
I would look at putting the Sharepoint server on the internal network and
deploy an ISA server in the DMZ and use Web Publishing or Server
Publishing
to get your external clients access to the site. If you want to open
access
from the DMZ to your AD Forest your firewall will be swiss cheese from all
the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec for
communication between the Sharepoint box and your DC's. That leaves you
only
needing the IPSec port open and not the very large number of ports to
support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B wrote:
Because this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To: >
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B wrote:
We are putting a MS sharepoint server in the DMZ and need to have it on
the
domain and communicating with a SQL server on the domain. Because of
these
needs, we only want to open the minimum number of ports to get
functionality. We have LDAP (389) opened and SQL (1433) opened. What
other
ports will we need to open to be able to log in on the sharepoint server
with a domain account? Currently, with only these two ports opened, a
domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|