| Author | Messages | |
bdesmond
Posts:346
 | | 09/08/2005 11:05 AM |
| What kind of load are you looking at putting on this sharepoint server? A
Single server setup as you mentioned is not a very high powered setup...
What are you doing about the SQL? Sharepoint uses integrated auth for
connecting between servers.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
Sent: Thursday, September 08, 2005 6:56 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Al, Brian and others - thanks!
I wasn't involved in the original plan for setting this extranet up, but
overheard talk about it and didn't like the plans everyone else was making
for my AD infrastructure. So I jumped into the fray after all the decisions
had been made and hardware/software purchased, but better late than never.
Originally, they wanted it set up with the SP server in the DMZ and ports
opened to the LAN to "make it work" talking to SQL and AD. The plan had
them putting extranet users and clients in our internal AD domain and giving
non-technical employees the ability to add/remove clients from an OU. Bad
mojo.
I was able to convince them to allow me to set up the SP server as a DC in a
new forest so as to avoid putting the extranet users in our AD domain. That
was the "easy" part. Another SQL license is definitely not in the budget,
so that was an easy decision. Now, I am going to try to convince them to
move the SP server into the LAN side, close the ports from the DMZ to LAN
and throw ISA server in the DMZ to serve up the extranet clients. I think I
can get them to go for it with some doom and gloom scenarios.
Again, thanks for the suggestions and advice.
--Jason
----- Original Message -----
From: "Brian Desmond"
To:
Sent: Thursday, September 08, 2005 3:14 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
>I am, perhaps unfortunately, quite familiar with Sharepoint.
>
> Your sharepoint server like any other member server can be a member of one
> domain. If your extranet users are in a domain trusted by the server's
> domain or another domain in the forest, you can just service them with
> multiple portals. You can have up to I think its 50 portals per frontend.
> Of
> course, I don't really recommend having your extranet accounts in your
> corp
> forest...
>
> I used to have my sharepoint environment sitting in a "DMZ" subnet. It was
> hell dealing with the spaghetti mess of ports on the checkpoints. Now we
> have this special subnet that the WAN people call the AD Load Balanced
> subnet. It's a class C that sits on the Cisco CSM and SSM modules in a
> couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and they
> have all the ports for domain joined machines open from that subnet to the
> DCs. It's actually pretty easy. The Windows folks gave the WAN folks a
> comprehensive list of ports that need to be open for AD, a/v, mgmt, etc,
> and
> they made PIX and Checkpoint rules for that subnet. Now when we need to
> load
> balance anything domain joined, the servers just go in this subnet, they
> setup the CSMs, and then the firewall people just have to add additional
> special rules (like connecting to SQL, for example).
>
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
> Sent: Thursday, September 08, 2005 4:37 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
> This has been a GREAT discussion and I have received a lot of useful info.
> I really appreciate the replies, suggestions, slams and help. I think I
> am
> going to revisit trying to have the sharepoint server moved to the LAN and
> see if I can't convince the powers that be to apportion an ISA license and
> hardware appropriate for running ISA to put on the DMZ. We already have a
> sharepoint server on the LAN... I am not too familiar with sharepoint,
> but
> I wonder if the existing sharepoint server can handle both the internal
> and
> external users... That's a question for another group, I guess.
>
> Anyway, I gathered quite a bit from the posts and discussion, but what are
> the main specific and concrete points that I am going to want to bring up
> to
>
> dissuade them from having the sharepoint server on the DMZ? My expertiese
> isn't in the hardware/networking aspect of configuration, but I know
> enough
> that I am not comfortable opening all the ports for AD auth from the DMZ
> to
> the LAN. Our network admin didn't think that it was a big deal to open
> the
> ports since it was "only on the DMZ" and he could control the traffic that
> was allowed to the DMZ.
>
>
> ----- Original Message -----
> From: "Al Mulnick"
> To:
> Sent: Wednesday, September 07, 2005 5:04 PM
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
> Looks like we have plenty of ideas and opinions ;)
>
> ISA is a great way to deal with this, but I believe the decision was made
> to
>
> put the SP machine in the DMZ regardless of the technical merit or
> viability. And whether or not it is a good idea. That said, ISA doesn't
> offer much if you put it AND this machine in a semi-trusted network (for
> whatever that means these days.)
>
> Shame there's no leeway though. The downside to using IPSec is that as
> others have pointed out, it won't work on member server DC for W2K
> servers (limitation of the OS) but will for 2K3 member servers but that
> still leaves you with a secure channel from the DMZ host to your internal
> network. That means you can't monitor the traffic from the DMZ to your
> internal network because it's encrypted (sounds like a broken record, I
> know.)
>
> Too bad you can't sway the decision makers to do this differently. But
> hopefully you've received a lot of ideas to pick from.
>
> Best of luck,
> Al
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
> Sent: Wed 9/7/2005 7:40 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
>
> I agree with Phil - I think using an ISA (or other reverse proxy solution)
> is the best way to go given your constraints.
>
>
>
> Using a reverse proxy solution allows you the following:
>
> 1. Keep you Sharepoint server behind the firewall, yet make it accessible
> to
>
> external clients as if it was in the DMZ.
> 2. Restrict your [additional] holes through the firewall to only that
> needed
>
> by the reverse proxy solution to interact with the Sharepoint server (port
> 80).
>
>
>
> BTW - this scenario is becoming extremely common. The next common
> addition
> you will see to this will likely be the use of ADFS to provide an identity
> trust bridge between the internal forest and a partner forest (or other
> identity system).
>
>
>
> Regards,
>
>
>
> Aric Bernard
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
> Sent: Wednesday, September 07, 2005 9:20 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
>
> I would look at putting the Sharepoint server on the internal network and
> deploy an ISA server in the DMZ and use Web Publishing or Server
> Publishing
> to get your external clients access to the site. If you want to open
> access
> from the DMZ to your AD Forest your firewall will be swiss cheese from all
> the ports than need to be open.
>
>
>
> If you absolutely HAVE to then I would prefer to look at using IPSec for
> communication between the Sharepoint box and your DC's. That leaves you
> only
>
> needing the IPSec port open and not the very large number of ports to
> support AD communication.
>
>
>
> http://support.microsoft.com/kb/q179442/
>
>
> Phil
>
>
> On 9/7/05, Jason B wrote:
>
> Because this will be a sharepoint server for clients. Regardless, that
> decision has already been made and I don't have any input into it.
> Any info on the ports I'd need open?
>
> ----- Original Message -----
> From: "ASB"
> To: >
> Sent: Wednesday, September 07, 2005 8:45 AM
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
> Why did you decide to put it in the DMZ?
>
> -ASB
>
> On 9/7/05, Jason B wrote:
>> We are putting a MS sharepoint server in the DMZ and need to have it on
>> the
>> domain and communicating with a SQL server on the domain. Because of
>> these
>> needs, we only want to open the minimum number of ports to get
>> functionality. We have LDAP (389) opened and SQL (1433) opened. What
>> other
>> ports will we need to open to be able to log in on the sharepoint server
>> with a domain account? Currently, with only these two ports opened, a
>> domain account can't log on to the sharepoint server in the DMZ.
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| boulware_jason
Posts:2
| | 09/08/2005 11:41 AM |
| The SP server is a dual proc Xeon 3GHz w/4GB
RAM. That should be able to handle FAR more load than we - er, they
- plan to have on it.
For SQL, we'll have to create a trust for
now. While it would be better to have another SQL server in the new domain
and just replicate/silo the DB's between the SQL servers, the cost for another
SQL license will be too much to bear at this point. I fear that I am going
to have to make do with what we have in regards to hardware and software for
now, but I am hoping to be able to squeak out that ISA server.
----- Original Message -----
From: "Brian Desmond" brian@xxxxxxxxxxxxxxxx>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Sent: Thursday, September 08, 2005 4:04
PM
Subject: RE: [ActiveDir] Which ports to open in the
DMZ to communicate with AD & SQL...
> What kind of load are you looking at putting on this sharepoint
server? A> Single server setup as you mentioned is not a very high
powered setup...> > What are you doing about the SQL? Sharepoint
uses integrated auth for> connecting between servers. > >
Thanks,> Brian Desmond> brian@xxxxxxxxxxxxxxxx> > c - 312.731.3132> > >
> -----Original Message-----> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason
B> Sent: Thursday, September 08, 2005 6:56 PM> To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
with> AD & SQL...> > Al, Brian and others -
thanks!> > I wasn't involved in the original plan for setting this
extranet up, but > overheard talk about it and didn't like the plans
everyone else was making > for my AD infrastructure. So I jumped
into the fray after all the decisions> > had been made and
hardware/software purchased, but better late than never. > Originally,
they wanted it set up with the SP server in the DMZ and ports > opened to
the LAN to "make it work" talking to SQL and AD. The plan had >
them putting extranet users and clients in our internal AD domain and
giving> > non-technical employees the ability to add/remove
clients from an OU. Bad > mojo.> > I was able to
convince them to allow me to set up the SP server as a DC in a> >
new forest so as to avoid putting the extranet users in our AD domain.
That> > was the "easy" part. Another SQL license is
definitely not in the budget, > so that was an easy decision. Now,
I am going to try to convince them to > move the SP server into the LAN
side, close the ports from the DMZ to LAN > and throw ISA server in the
DMZ to serve up the extranet clients. I think I> > can get
them to go for it with some doom and gloom scenarios.> > Again,
thanks for the suggestions and advice.> > --Jason> >
----- Original Message ----- > From: "Brian Desmond" brian@xxxxxxxxxxxxxxxx>> To:
ActiveDir@xxxxxxxxxxxxxxxxxx>> Sent: Thursday, September 08, 2005 3:14 PM> Subject:
RE: [ActiveDir] Which ports to open in the DMZ to communicate with > AD
& SQL...> > >>I am, perhaps unfortunately, quite
familiar with Sharepoint.>>>> Your sharepoint server like
any other member server can be a member of one>> domain. If your
extranet users are in a domain trusted by the server's>> domain or
another domain in the forest, you can just service them with>>
multiple portals. You can have up to I think its 50 portals per frontend.
>> Of>> course, I don't really recommend having your
extranet accounts in your >> corp>>
forest...>>>> I used to have my sharepoint environment
sitting in a "DMZ" subnet. It was>> hell dealing with the spaghetti
mess of ports on the checkpoints. Now we>> have this special subnet
that the WAN people call the AD Load Balanced>> subnet. It's a class C
that sits on the Cisco CSM and SSM modules in a>> couple of 6509s. The
subnet hangs off a PIX FWSM vlan interface, and they>> have all the
ports for domain joined machines open from that subnet to the>> DCs.
It's actually pretty easy. The Windows folks gave the WAN folks a>>
comprehensive list of ports that need to be open for AD, a/v, mgmt, etc,
>> and>> they made PIX and Checkpoint rules for that subnet.
Now when we need to >> load>> balance anything domain
joined, the servers just go in this subnet, they>> setup the CSMs, and
then the firewall people just have to add additional>> special rules
(like connecting to SQL, for example).>>>>>>
Thanks,>> Brian Desmond>> brian@xxxxxxxxxxxxxxxx>>>> c -
312.731.3132>>>>>>>> -----Original
Message----->> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason
B>> Sent: Thursday, September 08, 2005 4:37 PM>> To:
ActiveDir@xxxxxxxxxxxxxxxxxx>> Subject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate >> with>> AD &
SQL...>>>> This has been a GREAT discussion and I have
received a lot of useful info.>> I really appreciate the replies,
suggestions, slams and help. I think I >> am>> going
to revisit trying to have the sharepoint server moved to the LAN and>>
see if I can't convince the powers that be to apportion an ISA license
and>> hardware appropriate for running ISA to put on the DMZ. We
already have a>> sharepoint server on the LAN... I am not too
familiar with sharepoint, >> but>> I wonder if the existing
sharepoint server can handle both the internal >> and>>
external users... That's a question for another group, I
guess.>>>> Anyway, I gathered quite a bit from the posts and
discussion, but what are>> the main specific and concrete points that
I am going to want to bring up >> to>>>> dissuade
them from having the sharepoint server on the DMZ? My
expertiese>> isn't in the hardware/networking aspect of configuration,
but I know >> enough>> that I am not comfortable opening all
the ports for AD auth from the DMZ >> to>> the LAN.
Our network admin didn't think that it was a big deal to open >>
the>> ports since it was "only on the DMZ" and he could control the
traffic that>> was allowed to the
DMZ.>>>>>> ----- Original Message -----
>> From: "Al Mulnick" Alm@xxxxxxxxxxxxxxx>>>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>>> Sent: Wednesday, September 07, 2005 5:04 PM>>
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
>> with>> AD &
SQL...>>>>>> Looks like we have plenty of ideas
and opinions ;)>>>> ISA is a great way to deal with this,
but I believe the decision was made >> to>>>> put
the SP machine in the DMZ regardless of the technical merit or>>
viability. And whether or not it is a good idea. That said, ISA
doesn't>> offer much if you put it AND this machine in a semi-trusted
network (for>> whatever that means these
days.)>>>> Shame there's no leeway though. The
downside to using IPSec is that as>> others have pointed out, it won't
work on member server DC for W2K>> servers (limitation of the
OS) but will for 2K3 member servers but that>> still leaves you with a
secure channel from the DMZ host to your internal>> network.
That means you can't monitor the traffic from the DMZ to your>>
internal network because it's encrypted (sounds like a broken record,
I>> know.)>>>> Too bad you can't sway the decision
makers to do this differently. But>> hopefully you've received a lot
of ideas to pick from.>>>> Best of luck,>>
Al>>>>>>>>
________________________________>>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Bernard, Aric>> Sent: Wed 9/7/2005 7:40 PM>> To:
ActiveDir@xxxxxxxxxxxxxxxxxx>> Subject: RE: [ActiveDir] Which ports to open in the DMZ to
communicate >> with>> AD &
SQL...>>>>>>>> I agree with Phil - I
think using an ISA (or other reverse proxy solution)>> is the best way
to go given your constraints.>>>>>>>>
Using a reverse proxy solution allows you the following:>>>>
1. Keep you Sharepoint server behind the firewall, yet make it accessible
>> to>>>> external clients as if it was in the
DMZ.>> 2. Restrict your [additional] holes through the firewall to
only that >> needed>>>> by the reverse proxy
solution to interact with the Sharepoint server (port>>
80).>>>>>>>> BTW - this scenario is
becoming extremely common. The next common >>
addition>> you will see to this will likely be the use of ADFS to
provide an identity>> trust bridge between the internal forest and a
partner forest (or other>> identity
system).>>>>>>>>
Regards,>>>>>>>> Aric
Bernard>>>>>>>>
________________________________>>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil
Renouf>> Sent: Wednesday, September 07, 2005 9:20 AM>> To:
ActiveDir@xxxxxxxxxxxxxxxxxx>> Subject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate >> with>> AD &
SQL...>>>>>>>> I would look at putting
the Sharepoint server on the internal network and>> deploy an ISA
server in the DMZ and use Web Publishing or Server >>
Publishing>> to get your external clients access to the site. If you
want to open >> access>> from the DMZ to your AD Forest your
firewall will be swiss cheese from all>> the ports than need to be
open.>>>>>>>> If you absolutely HAVE to
then I would prefer to look at using IPSec for>> communication between
the Sharepoint box and your DC's. That leaves you >>
only>>>> needing the IPSec port open and not the very large
number of ports to>> support AD
communication.>>>>>>>> http://support.microsoft.com/kb/q179442/>>>>>> Phil>>>>>>
On 9/7/05, Jason B boulware_jason@xxxxxxxxxxx> wrote:>>>> Because this will be a sharepoint
server for clients. Regardless, that>> decision has already been
made and I don't have any input into it.>> Any info on the ports I'd
need open?>>>> ----- Original Message ----->>
From: "ASB" abaker@xxxxxxxxx>>> To:
ActiveDir@xxxxxxxxxxxxxxxxxx
mailto:ActiveDir@xxxxxxxxxxxxxxxxxx> >>> Sent: Wednesday, September 07, 2005 8:45
AM>> Subject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate >> with>> AD &
SQL...>>>>>> Why did you decide to put it in the
DMZ?>>>> -ASB>>>> On 9/7/05, Jason B
boulware_jason@xxxxxxxxxxx>
wrote:>>> We are putting a MS sharepoint server in the DMZ and need
to have it on>>> the>>> domain and communicating with
a SQL server on the domain. Because of>>>
these>>> needs, we only want to open the minimum number of ports to
get>>> functionality. We have LDAP (389) opened and SQL
(1433) opened. What>>> other>>> ports will we
need to open to be able to log in on the sharepoint server>>> with
a domain account? Currently, with only these two ports opened,
a>>> domain account can't log on to the sharepoint server in the
DMZ.>> List info : http://www.activedir.org/List.aspx>> List FAQ : http://www.activedir.org/ListFAQ.aspx>> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>> List info : http://www.activedir.org/List.aspx>> List FAQ : http://www.activedir.org/ListFAQ.aspx>> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>>>>>>> List
info : http://www.activedir.org/List.aspx>> List FAQ : http://www.activedir.org/ListFAQ.aspx>> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>>> List info : http://www.activedir.org/List.aspx>> List FAQ : http://www.activedir.org/ListFAQ.aspx>> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>> > List info : http://www.activedir.org/List.aspx> List FAQ : http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/> > List info : http://www.activedir.org/List.aspx> List FAQ : http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/> | | | |
| bdesmond
Posts:346
| | 09/08/2005 11:52 AM |
| That should suffice for a good while for hardware.
Thanks,
Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
Sent: Thursday, September 08, 2005
7:35 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
The SP server is a dual proc Xeon 3GHz w/4GB RAM. That
should be able to handle FAR more load than we - er, they - plan to
have on it.
For SQL, we'll have to create a trust for now. While
it would be better to have another SQL server in the new domain and just
replicate/silo the DB's between the SQL servers, the cost for another SQL
license will be too much to bear at this point. I fear that I am going to
have to make do with what we have in regards to hardware and software for now,
but I am hoping to be able to squeak out that ISA server.
----- Original Message -----
From: "Brian Desmond" brian@xxxxxxxxxxxxxxxx>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Sent: Thursday, September 08, 2005 4:04 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to
communicate with AD & SQL...
> What kind of load are you looking at putting on this
sharepoint server? A
> Single server setup as you mentioned is not a very high powered setup...
>
> What are you doing about the SQL? Sharepoint uses integrated auth for
> connecting between servers.
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
> Sent: Thursday, September 08, 2005 6:56 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
> AD & SQL...
>
> Al, Brian and others - thanks!
>
> I wasn't involved in the original plan for setting this extranet up, but
> overheard talk about it and didn't like the plans everyone else was making
> for my AD infrastructure. So I jumped into the fray after all the
decisions
>
> had been made and hardware/software purchased, but better late than never.
> Originally, they wanted it set up with the SP server in the DMZ and ports
> opened to the LAN to "make it work" talking to SQL and AD.
The plan had
> them putting extranet users and clients in our internal AD domain and
giving
>
> non-technical employees the ability to add/remove clients from an
OU. Bad
> mojo.
>
> I was able to convince them to allow me to set up the SP server as a DC in
a
>
> new forest so as to avoid putting the extranet users in our AD
domain. That
>
> was the "easy" part. Another SQL license is definitely not
in the budget,
> so that was an easy decision. Now, I am going to try to convince
them to
> move the SP server into the LAN side, close the ports from the DMZ to LAN
> and throw ISA server in the DMZ to serve up the extranet clients. I
think I
>
> can get them to go for it with some doom and gloom scenarios.
>
> Again, thanks for the suggestions and advice.
>
> --Jason
>
> ----- Original Message -----
> From: "Brian Desmond" brian@xxxxxxxxxxxxxxxx>
> To: ActiveDir@xxxxxxxxxxxxxxxxxx>
> Sent: Thursday, September 08, 2005 3:14 PM
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
with
> AD & SQL...
>
>
>>I am, perhaps unfortunately, quite familiar with Sharepoint.
>>
>> Your sharepoint server like any other member server can be a member of
one
>> domain. If your extranet users are in a domain trusted by the server's
>> domain or another domain in the forest, you can just service them with
>> multiple portals. You can have up to I think its 50 portals per
frontend.
>> Of
>> course, I don't really recommend having your extranet accounts in your
>> corp
>> forest...
>>
>> I used to have my sharepoint environment sitting in a "DMZ"
subnet. It was
>> hell dealing with the spaghetti mess of ports on the checkpoints. Now
we
>> have this special subnet that the WAN people call the AD Load Balanced
>> subnet. It's a class C that sits on the Cisco CSM and SSM modules in a
>> couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and
they
>> have all the ports for domain joined machines open from that subnet to
the
>> DCs. It's actually pretty easy. The Windows folks gave the WAN folks a
>> comprehensive list of ports that need to be open for AD, a/v, mgmt,
etc,
>> and
>> they made PIX and Checkpoint rules for that subnet. Now when we need
to
>> load
>> balance anything domain joined, the servers just go in this subnet,
they
>> setup the CSMs, and then the firewall people just have to add
additional
>> special rules (like connecting to SQL, for example).
>>
>>
>> Thanks,
>> Brian Desmond
>> brian@xxxxxxxxxxxxxxxx
>>
>> c - 312.731.3132
>>
>>
>>
>> -----Original Message-----
>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
>> Sent: Thursday, September 08, 2005 4:37 PM
>> To: ActiveDir@xxxxxxxxxxxxxxxxxx
>>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>> This has been a GREAT discussion and I have received a lot of useful
info.
>> I really appreciate the replies, suggestions, slams and help. I
think I
>> am
>> going to revisit trying to have the sharepoint server moved to the LAN
and
>> see if I can't convince the powers that be to apportion an ISA license
and
>> hardware appropriate for running ISA to put on the DMZ. We
already have a
>> sharepoint server on the LAN... I am not too familiar with
sharepoint,
>> but
>> I wonder if the existing sharepoint server can handle both the
internal
>> and
>> external users... That's a question for another group, I guess.
>>
>> Anyway, I gathered quite a bit from the posts and discussion, but what
are
>> the main specific and concrete points that I am going to want to bring
up
>> to
>>
>> dissuade them from having the sharepoint server on the DMZ? My
expertiese
>> isn't in the hardware/networking aspect of configuration, but I know
>> enough
>> that I am not comfortable opening all the ports for AD auth from the
DMZ
>> to
>> the LAN. Our network admin didn't think that it was a big deal
to open
>> the
>> ports since it was "only on the DMZ" and he could control
the traffic that
>> was allowed to the DMZ.
>>
>>
>> ----- Original Message -----
>> From: "Al Mulnick" Alm@xxxxxxxxxxxxxxx>
>> To: ActiveDir@xxxxxxxxxxxxxxxxxx>
>> Sent: Wednesday, September 07, 2005 5:04 PM
>> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>>
>> Looks like we have plenty of ideas and opinions ;)
>>
>> ISA is a great way to deal with this, but I believe the decision was
made
>> to
>>
>> put the SP machine in the DMZ regardless of the technical merit or
>> viability. And whether or not it is a good idea. That said, ISA
doesn't
>> offer much if you put it AND this machine in a semi-trusted network
(for
>> whatever that means these days.)
>>
>> Shame there's no leeway though. The downside to using IPSec is
that as
>> others have pointed out, it won't work on member server DC
for W2K
>> servers (limitation of the OS) but will for 2K3 member servers but
that
>> still leaves you with a secure channel from the DMZ host to your
internal
>> network. That means you can't monitor the traffic from the DMZ to
your
>> internal network because it's encrypted (sounds like a broken record,
I
>> know.)
>>
>> Too bad you can't sway the decision makers to do this differently. But
>> hopefully you've received a lot of ideas to pick from.
>>
>> Best of luck,
>> Al
>>
>>
>>
>> ________________________________
>>
>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf
of Bernard, Aric
>> Sent: Wed 9/7/2005 7:40 PM
>> To: ActiveDir@xxxxxxxxxxxxxxxxxx
>>
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>>
>>
>> I agree with Phil - I think using an ISA (or other reverse proxy solution)
>> is the best way to go given your constraints.
>>
>>
>>
>> Using a reverse proxy solution allows you the following:
>>
>> 1. Keep you Sharepoint server behind the firewall, yet make it
accessible
>> to
>>
>> external clients as if it was in the DMZ.
>> 2. Restrict your [additional] holes through the firewall to only that
>> needed
>>
>> by the reverse proxy solution to interact with the Sharepoint server
(port
>> 80).
>>
>>
>>
>> BTW - this scenario is becoming extremely common. The next common
>> addition
>> you will see to this will likely be the use of ADFS to provide an
identity
>> trust bridge between the internal forest and a partner forest (or
other
>> identity system).
>>
>>
>>
>> Regards,
>>
>>
>>
>> Aric Bernard
>>
>>
>>
>> ________________________________
>>
>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
>> Sent: Wednesday, September 07, 2005 9:20 AM
>> To: ActiveDir@xxxxxxxxxxxxxxxxxx
>>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>>
>>
>> I would look at putting the Sharepoint server on the internal network
and
>> deploy an ISA server in the DMZ and use Web Publishing or Server
>> Publishing
>> to get your external clients access to the site. If you want to open
>> access
>> from the DMZ to your AD Forest your
firewall will be swiss cheese from all
>> the ports than need to be open.
>>
>>
>>
>> If you absolutely HAVE to then I would prefer to look at using IPSec
for
>> communication between the Sharepoint box and your DC's. That leaves
you
>> only
>>
>> needing the IPSec port open and not the very large number of ports to
>> support AD communication.
>>
>>
>>
>> http://support.microsoft.com/kb/q179442/
>>
>>
>> Phil
>>
>>
>> On 9/7/05, Jason B boulware_jason@xxxxxxxxxxx> wrote:
>>
>> Because this will be a sharepoint server for clients.
Regardless, that
>> decision has already been made and I don't have any input into it.
>> Any info on the ports I'd need open?
>>
>> ----- Original Message -----
>> From: "ASB" abaker@xxxxxxxxx>
>> To: ActiveDir@xxxxxxxxxxxxxxxxxx mailto:ActiveDir@xxxxxxxxxxxxxxxxxx> >
>> Sent: Wednesday, September 07, 2005 8:45 AM
>> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>>
>> Why did you decide to put it in the DMZ?
>>
>> -ASB
>>
>> On 9/7/05, Jason B boulware_jason@xxxxxxxxxxx> wrote:
>>> We are putting a MS sharepoint server in the DMZ and need to have
it on
>>> the
>>> domain and communicating with a SQL server on the domain.
Because of
>>> these
>>> needs, we only want to open the minimum number of ports to get
>>> functionality. We have LDAP (389) opened and SQL (1433)
opened. What
>>> other
>>> ports will we need to open to be able to log in on the sharepoint
server
>>> with a domain account? Currently, with only these two ports
opened, a
>>> domain account can't log on to the sharepoint server in the DMZ.
>> List info : http://www.activedir.org/List.aspx
>>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
List info : http://www.activedir.org/List.aspx
>>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>
>> List info : http://www.activedir.org/List.aspx
>>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>> List info : http://www.activedir.org/List.aspx
>>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
> List info : http://www.activedir.org/List.aspx
>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| Alm@xxxx.yyy
| | 09/08/2005 12:07 PM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
Sent: Wed 9/7/2005 7:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
I agree with Phil - I think using an ISA (or other reverse proxy solution) is the best way to go given your constraints.
Using a reverse proxy solution allows you the following:
1. Keep you Sharepoint server behind the firewall, yet make it accessible to external clients as if it was in the DMZ.
2. Restrict your [additional] holes through the firewall to only that needed by the reverse proxy solution to interact with the Sharepoint server (port 80).
BTW - this scenario is becoming extremely common. The next common addition you will see to this will likely be the use of ADFS to provide an identity trust bridge between the internal forest and a partner forest (or other identity system).
Regards,
Aric Bernard
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, September 07, 2005 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to get your external clients access to the site. If you want to open access from the DMZ to your AD Forest your firewall will be swiss cheese from all the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's. That leaves you only needing the IPSec port open and not the very large number of ports to support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B wrote:
Because this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To: >
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433) opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| TonyTest
Posts:0
| | 09/08/2005 12:25 PM |
| Hi Phil
Here's the text I was referring to:
Currently, we do not support using IPSec to encrypt network traffic from
a domain member server to a domain controller when you apply the IPSec policies
by using Group Policy or when you use the Kerberos authentication method.
The goal with IPSec is to encrypt the traffic between the
two sides and with the scenario described below you would need Kerberos
authentication. Or have I missed something?
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil
RenoufSent: Thursday, 8 September 2005 11:02 a.m.To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Which ports to
open in the DMZ to communicate with AD & SQL...
Did I miss something in that article? I don't see where it says client >
DC via IPSec is not supported; just that you can't encrypt Kerberos
traffic.
Phil
On 9/7/05, Tony
Murray Tony.Murray@xxxxxxxxxxx>
wrote:
> If you absolutely HAVE to then I
would prefer to look at using IPSec for communication between the Sharepoint
box and your DC's
IPSec
would be good, but it isn't supported between member servers and
DCs.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil
RenoufSent: Thursday, 8 September 2005 4:20 a.m.To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network and
deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to
get your external clients access to the site. If you want to open access from
the DMZ to your AD Forest your firewall will be swiss cheese from all the
ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec for
communication between the Sharepoint box and your DC's. That leaves you only
needing the IPSec port open and not the very large number of ports to support
AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B
boulware_jason@xxxxxxxxxxx > wrote:
Because
this will be a sharepoint server for clients. Regardless,
thatdecision has already been made and I don't have any input into it.
Any info on the ports I'd need open?----- Original Message
-----From: "ASB" abaker@xxxxxxxxx
>To:
ActiveDir@xxxxxxxxxxxxxxxxxx>Sent: Wednesday, September 07, 2005
8:45 AM Subject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate withAD & SQL...Why did you decide to put it
in the DMZ? -ASBOn 9/7/05, Jason B
boulware_jason@xxxxxxxxxxx> wrote:> We are putting a MS
sharepoint server in the DMZ and need to have it on> the>
domain and communicating with a SQL server on the domain. Because
of> these > needs, we only want to open the minimum number of
ports to get> functionality. We have LDAP (389) opened and
SQL (1433) opened. What > other> ports will we need
to open to be able to log in on the sharepoint server > with a domain
account? Currently, with only these two ports opened, a>
domain account can't log on to the sharepoint server in the DMZ. List
info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List
info : http://www.activedir.org/List.aspx List
FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i Limited
This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i Limited | | | |
| aricbernard
Posts:2
| | 09/08/2005 12:29 PM |
| I should make sure I was clear “ in no
way did I encourage the placement of ISA AND the SharePoint server onto the
semi-trusted (DMZ) network. Again to clarify, the ISA server often (but not
always) resides in the semi-trusted network while the SharePoint server should
always reside on a fully-trusted network. The key benefit here is that
the only required configuration through the firewall to the internal network is
the web ports (i.e. 80, 443) necessary to allow proper communication between
the ISA server and the SharePoint server. If the ISA server were
compromised, however unlikely, the only path through the firewall to the
internal network would be via the web ports to the SharePoint server.
Another problem with the IPSec solution is
that if your SharePoint server in the DMZ is compromised (it is running IIS ;-)
the IPSec path it has through to the internal network will be compromised as
well. Of course this will then allow a potential hacker to ride the IPSec
tunnel straight to all of the systems/ports (i.e. 88, 123, 389, 3268, 3269, and
[god forbid] 135 and 445) you have configured the SharePoint server to
communicate with on the internal LAN. BTW I think you can configure IPSec
to work between clients/member servers and DCs so long as the correct
exceptions are in place or as long as you use certificates (which would be the best
approach if using it in the DMZ).
BTW, Jason, never say never. With
enough good arguments and still meeting the stated requirements you can
certainly change people™s opinions¦
Aric
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Wednesday, September 07,
2005 5:05 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
Looks like we have plenty of ideas and
opinions ;)
ISA is a great way to deal with this, but I believe the
decision was made to put the SP machine in the DMZ regardless of the technical
merit or viability. And whether or not it is a good idea. That said, ISA
doesn't offer much if you put it AND this machine in a semi-trusted network
(for whatever that means these days.)
Shame there's no leeway though. The downside to using
IPSec is that as others have pointed out, it won't work on member server
DC for W2K servers (limitation of the OS) but will for 2K3 member
servers but that still leaves you with a secure channel from the DMZ host to
your internal network. That means you can't monitor the traffic from the
DMZ to your internal network because it's encrypted (sounds like a broken
record, I know.)
Too bad you can't sway the decision makers to do this
differently. But hopefully you've received a lot of ideas to pick from.
Best of luck,
Al
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
Sent: Wed 9/7/2005 7:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
I agree with Phil “ I think using an
ISA (or other reverse proxy solution) is the best way to go given your
constraints.
Using a reverse proxy solution allows you
the following:
Keep
you Sharepoint server behind the firewall, yet make it accessible to
external clients as if it was in the DMZ.
Restrict
your [additional] holes through the firewall to only that needed by the
reverse proxy solution to interact with the Sharepoint server (port 80).
BTW - this scenario is becoming extremely
common. The next common addition you will see to this will likely be the
use of ADFS to provide an identity trust bridge between the internal forest and
a partner forest (or other identity system).
Regards,
Aric Bernard
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, September 07,
2005 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network
and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing
to get your external clients access to the site. If you want to open access
from the DMZ to your AD Forest your firewall
will be swiss cheese from all the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec
for communication between the Sharepoint box and your DC's. That leaves you
only needing the IPSec port open and not the very large number of ports to
support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B
wrote:
Because this will be a sharepoint server for
clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To:
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B
wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the
domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433)
opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports
opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| aricbernard
Posts:2
| | 09/08/2005 12:36 PM |
| The quote relates to when you are using Kerberos
as the method to setup the secure connection (ISAKMP). If you use certificated
then IPSec can be used end-to-end between clients/member servers and DCs.
Aric
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Tony Murray
Sent: Wednesday, September 07,
2005 5:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
Hi Phil
Here's the text I was referring to:
Currently, we do not support using IPSec
to encrypt network traffic from a domain member server to a domain controller
when you apply the IPSec policies by using Group Policy or when you use the
Kerberos authentication method.
The goal with IPSec is to encrypt the
traffic between the two sides and with the scenario described below you would
need Kerberos authentication. Or have I missed something?
Tony
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Thursday, 8 September 2005
11:02 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports
to open in the DMZ to communicate with AD & SQL...
Did I miss something in that article? I don't see where it says client
> DC via IPSec is not supported; just that you can't encrypt Kerberos
traffic.
Phil
On 9/7/05, Tony
Murray
wrote:
> If you absolutely HAVE to then I would prefer to look at
using IPSec for communication between the Sharepoint box and your DC's
IPSec would be good, but it isn't
supported between member servers and DCs.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Phil Renouf
Sent: Thursday, 8 September 2005
4:20 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re:
[ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network
and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing
to get your external clients access to the site. If you want to open access
from the DMZ to your AD Forest your firewall
will be swiss cheese from all the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec
for communication between the Sharepoint box and your DC's. That leaves you
only needing the IPSec port open and not the very large number of ports to
support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B
wrote:
Because this will be a sharepoint server for
clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To:
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B boulware_jason@xxxxxxxxxxx> wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the
domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433)
opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports
opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail message has been scanned for Viruses and Content and
cleared by NetIQ MailMarshal at Gen-i Limited
This e-mail message has been scanned for Viruses and Content and
cleared by NetIQ MailMarshal at Gen-i Limited | | | |
| Alm@xxxx.yyy
| | 09/09/2005 1:06 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Phil Renouf
Sent: Fri 9/9/2005 1:44 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Al really gave you a good post about the pros and cons of each option, but I just wanted to emphasize something to be sure it comes across: It is not "just" a DMZ. A DMZ is a semi-trusted network and to me that means it is only slightly better than the internet itself. I do everything I can to mitigate any intrusions to DMZ boxes since they are internet facing and I can't trust the internet. Yes there is another firewall in front of the DMZ, but a good security admin knows that a firewall only protects you to a point.
Also, the last option of having the server on the internal network and just providing access through the firewalls direct to it is a non-starter in my view. You have moved the perimeter of your network from the edge/DMZ into your internal network and that is not a risk I am willing to take. Much like joe's advice in another thread, I would explain the risks until I am blue in the face, then ask for a get out of jail free card for the inevitable intrusion.
On another note; you mention loading the SP box as a DC in another forest. I would prefer to look at loading an ADAM instance to handle the external users instead of having a whole other AD infrastructure. ADAM is a lot easier to manage and is intended for situations exactly like what you're looking at.
Phil
On 9/8/05, Jason B wrote:
Al, Brian and others - thanks!
I wasn't involved in the original plan for setting this extranet up, but
overheard talk about it and didn't like the plans everyone else was making
for my AD infrastructure. So I jumped into the fray after all the decisions
had been made and hardware/software purchased, but better late than never.
Originally, they wanted it set up with the SP server in the DMZ and ports
opened to the LAN to "make it work" talking to SQL and AD. The plan had
them putting extranet users and clients in our internal AD domain and giving
non-technical employees the ability to add/remove clients from an OU. Bad
mojo.
I was able to convince them to allow me to set up the SP server as a DC in a
new forest so as to avoid putting the extranet users in our AD domain. That
was the "easy" part. Another SQL license is definitely not in the budget,
so that was an easy decision. Now, I am going to try to convince them to
move the SP server into the LAN side, close the ports from the DMZ to LAN
and throw ISA server in the DMZ to serve up the extranet clients. I think I
can get them to go for it with some doom and gloom scenarios.
Again, thanks for the suggestions and advice.
--Jason
----- Original Message -----
From: "Brian Desmond"
To:
Sent: Thursday, September 08, 2005 3:14 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
>I am, perhaps unfortunately, quite familiar with Sharepoint.
>
> Your sharepoint server like any other member server can be a member of one
> domain. If your extranet users are in a domain trusted by the server's
> domain or another domain in the forest, you can just service them with
> multiple portals. You can have up to I think its 50 portals per frontend.
> Of
> course, I don't really recommend having your extranet accounts in your
> corp
> forest...
>
> I used to have my sharepoint environment sitting in a "DMZ" subnet. It was
> hell dealing with the spaghetti mess of ports on the checkpoints. Now we
> have this special subnet that the WAN people call the AD Load Balanced
> subnet. It's a class C that sits on the Cisco CSM and SSM modules in a
> couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and they
> have all the ports for domain joined machines open from that subnet to the
> DCs. It's actually pretty easy. The Windows folks gave the WAN folks a
> comprehensive list of ports that need to be open for AD, a/v, mgmt, etc,
> and
> they made PIX and Checkpoint rules for that subnet. Now when we need to
> load
> balance anything domain joined, the servers just go in this subnet, they
> setup the CSMs, and then the firewall people just have to add additional
> special rules (like connecting to SQL, for example).
>
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
> Sent: Thursday, September 08, 2005 4:37 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
> This has been a GREAT discussion and I have received a lot of useful info.
> I really appreciate the replies, suggestions, slams and help. I think I
> am
> going to revisit trying to have the sharepoint server moved to the LAN and
> see if I can't convince the powers that be to apportion an ISA license and
> hardware appropriate for running ISA to put on the DMZ. We already have a
> sharepoint server on the LAN... I am not too familiar with sharepoint,
> but
> I wonder if the existing sharepoint server can handle both the internal
> and
> external users... That's a question for another group, I guess.
>
> Anyway, I gathered quite a bit from the posts and discussion, but what are
> the main specific and concrete points that I am going to want to bring up
> to
>
> dissuade them from having the sharepoint server on the DMZ? My expertiese
> isn't in the hardware/networking aspect of configuration, but I know
> enough
> that I am not comfortable opening all the ports for AD auth from the DMZ
> to
> the LAN. Our network admin didn't think that it was a big deal to open
> the
> ports since it was "only on the DMZ" and he could control the traffic that
> was allowed to the DMZ.
>
>
> ----- Original Message -----
> From: "Al Mulnick"
> To: >
> Sent: Wednesday, September 07, 2005 5:04 PM
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
> Looks like we have plenty of ideas and opinions ;)
>
> ISA is a great way to deal with this, but I believe the decision was made
> to
>
> put the SP machine in the DMZ regardless of the technical merit or
> viability. And whether or not it is a good idea. That said, ISA doesn't
> offer much if you put it AND this machine in a semi-trusted network (for
> whatever that means these days.)
>
> Shame there's no leeway though. The downside to using IPSec is that as
> others have pointed out, it won't work on member server DC for W2K
> servers (limitation of the OS) but will for 2K3 member servers but that
> still leaves you with a secure channel from the DMZ host to your internal
> network. That means you can't monitor the traffic from the DMZ to your
> internal network because it's encrypted (sounds like a broken record, I
> know.)
>
> Too bad you can't sway the decision makers to do this differently. But
> hopefully you've received a lot of ideas to pick from.
>
> Best of luck,
> Al
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
> Sent: Wed 9/7/2005 7:40 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
>
> I agree with Phil - I think using an ISA (or other reverse proxy solution)
> is the best way to go given your constraints.
>
>
>
> Using a reverse proxy solution allows you the following:
>
> 1. Keep you Sharepoint server behind the firewall, yet make it accessible
> to
>
> external clients as if it was in the DMZ.
> 2. Restrict your [additional] holes through the firewall to only that
> needed
>
> by the reverse proxy solution to interact with the Sharepoint server (port
> 80).
>
>
>
> BTW - this scenario is becoming extremely common. The next common
> addition
> you will see to this will likely be the use of ADFS to provide an identity
> trust bridge between the internal forest and a partner forest (or other
> identity system).
>
>
>
> Regards,
>
>
>
> Aric Bernard
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
> Sent: Wednesday, September 07, 2005 9:20 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
>
> I would look at putting the Sharepoint server on the internal network and
> deploy an ISA server in the DMZ and use Web Publishing or Server
> Publishing
> to get your external clients access to the site. If you want to open
> access
> from the DMZ to your AD Forest your firewall will be swiss cheese from all
> the ports than need to be open.
>
>
>
> If you absolutely HAVE to then I would prefer to look at using IPSec for
> communication between the Sharepoint box and your DC's. That leaves you
> only
>
> needing the IPSec port open and not the very large number of ports to
> support AD communication.
>
>
>
> http://support.microsoft.com/kb/q179442/
>
>
> Phil
>
>
> On 9/7/05, Jason B > wrote:
>
> Because this will be a sharepoint server for clients. Regardless, that
> decision has already been made and I don't have any input into it.
> Any info on the ports I'd need open?
>
> ----- Original Message -----
> From: "ASB"
> To: >
> Sent: Wednesday, September 07, 2005 8:45 AM
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
> Why did you decide to put it in the DMZ?
>
> -ASB
>
> On 9/7/05, Jason B wrote:
>> We are putting a MS sharepoint server in the DMZ and need to have it on
>> the
>> domain and communicating with a SQL server on the domain. Because of
>> these
>> needs, we only want to open the minimum number of ports to get
>> functionality. We have LDAP (389) opened and SQL (1433) opened. What
>> other
>> ports will we need to open to be able to log in on the sharepoint server
>> with a domain account? Currently, with only these two ports opened, a
>> domain account can't log on to the sharepoint server in the DMZ.
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| prenouf
Posts:1
| | 09/09/2005 5:46 AM |
| Also, the last option of having the server on the internal network and just providing access through the firewalls direct to it is a non-starter in my view. You have moved the perimeter of your network from the edge/DMZ into your internal network and that is not a risk I am willing to take. Much like joe's advice in another thread, I would explain the risks until I am blue in the face, then ask for a get out of jail free card for the inevitable intrusion.
On another note; you mention loading the SP box as a DC in another forest. I would prefer to look at loading an ADAM instance to handle the external users instead of having a whole other AD infrastructure. ADAM is a lot easier to manage and is intended for situations exactly like what you're looking at.
Phil
On 9/8/05, Jason B wrote:
Al, Brian and others - thanks!I wasn't involved in the original plan for setting this extranet up, but
overheard talk about it and didn't like the plans everyone else was makingfor my AD infrastructure. So I jumped into the fray after all the decisionshad been made and hardware/software purchased, but better late than never.
Originally, they wanted it set up with the SP server in the DMZ and portsopened to the LAN to "make it work" talking to SQL and AD. The plan hadthem putting extranet users and clients in our internal AD domain and giving
non-technical employees the ability to add/remove clients from an OU. Badmojo.I was able to convince them to allow me to set up the SP server as a DC in anew forest so as to avoid putting the extranet users in our AD domain. That
was the "easy" part. Another SQL license is definitely not in the budget,so that was an easy decision. Now, I am going to try to convince them tomove the SP server into the LAN side, close the ports from the DMZ to LAN
and throw ISA server in the DMZ to serve up the extranet clients. I think Ican get them to go for it with some doom and gloom scenarios.Again, thanks for the suggestions and advice.--Jason
----- Original Message -----From: "Brian Desmond" To: Sent: Thursday, September 08, 2005 3:14 PMSubject: RE: [ActiveDir] Which ports to open in the DMZ to communicate withAD & SQL...>I am, perhaps unfortunately, quite familiar with Sharepoint.
>> Your sharepoint server like any other member server can be a member of one> domain. If your extranet users are in a domain trusted by the server's> domain or another domain in the forest, you can just service them with
> multiple portals. You can have up to I think its 50 portals per frontend.> Of> course, I don't really recommend having your extranet accounts in your> corp> forest...>> I used to have my sharepoint environment sitting in a "DMZ" subnet. It was
> hell dealing with the spaghetti mess of ports on the checkpoints. Now we> have this special subnet that the WAN people call the AD Load Balanced> subnet. It's a class C that sits on the Cisco CSM and SSM modules in a
> couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and they> have all the ports for domain joined machines open from that subnet to the> DCs. It's actually pretty easy. The Windows folks gave the WAN folks a
> comprehensive list of ports that need to be open for AD, a/v, mgmt, etc,> and> they made PIX and Checkpoint rules for that subnet. Now when we need to> load> balance anything domain joined, the servers just go in this subnet, they
> setup the CSMs, and then the firewall people just have to add additional> special rules (like connecting to SQL, for example).>>> Thanks,> Brian Desmond>
brian@xxxxxxxxxxxxxxxx>> c - 312.731.3132>>>> -----Original Message-----> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B> Sent: Thursday, September 08, 2005 4:37 PM> To:
ActiveDir@xxxxxxxxxxxxxxxxxx> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate> with> AD & SQL...>> This has been a GREAT discussion and I have received a lot of useful info.
> I really appreciate the replies, suggestions, slams and help. I think I> am> going to revisit trying to have the sharepoint server moved to the LAN and> see if I can't convince the powers that be to apportion an ISA license and
> hardware appropriate for running ISA to put on the DMZ. We already have a> sharepoint server on the LAN... I am not too familiar with sharepoint,> but> I wonder if the existing sharepoint server can handle both the internal
> and> external users... That's a question for another group, I guess.>> Anyway, I gathered quite a bit from the posts and discussion, but what are> the main specific and concrete points that I am going to want to bring up
> to>> dissuade them from having the sharepoint server on the DMZ? My expertiese> isn't in the hardware/networking aspect of configuration, but I know> enough> that I am not comfortable opening all the ports for AD auth from the DMZ
> to> the LAN. Our network admin didn't think that it was a big deal to open> the> ports since it was "only on the DMZ" and he could control the traffic that> was allowed to the DMZ.
>>> ----- Original Message -----> From: "Al Mulnick" > To: > Sent: Wednesday, September 07, 2005 5:04 PM> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate> with> AD & SQL...>>
> Looks like we have plenty of ideas and opinions ;)>> ISA is a great way to deal with this, but I believe the decision was made> to>> put the SP machine in the DMZ regardless of the technical merit or
> viability. And whether or not it is a good idea. That said, ISA doesn't> offer much if you put it AND this machine in a semi-trusted network (for> whatever that means these days.)>> Shame there's no leeway though. The downside to using IPSec is that as
> others have pointed out, it won't work on member server DC for W2K> servers (limitation of the OS) but will for 2K3 member servers but that> still leaves you with a secure channel from the DMZ host to your internal
> network. That means you can't monitor the traffic from the DMZ to your> internal network because it's encrypted (sounds like a broken record, I> know.)>> Too bad you can't sway the decision makers to do this differently. But
> hopefully you've received a lot of ideas to pick from.>> Best of luck,> Al>>>> ________________________________>> From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric> Sent: Wed 9/7/2005 7:40 PM> To: ActiveDir@xxxxxxxxxxxxxxxxxx> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with> AD & SQL...>>>> I agree with Phil - I think using an ISA (or other reverse proxy solution)> is the best way to go given your constraints.>>>
> Using a reverse proxy solution allows you the following:>> 1. Keep you Sharepoint server behind the firewall, yet make it accessible> to>> external clients as if it was in the DMZ.
> 2. Restrict your [additional] holes through the firewall to only that> needed>> by the reverse proxy solution to interact with the Sharepoint server (port> 80).>>>
> BTW - this scenario is becoming extremely common. The next common> addition> you will see to this will likely be the use of ADFS to provide an identity> trust bridge between the internal forest and a partner forest (or other
> identity system).>>>> Regards,>>>> Aric Bernard>>>> ________________________________>> From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf> Sent: Wednesday, September 07, 2005 9:20 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate> with> AD & SQL...>>
>> I would look at putting the Sharepoint server on the internal network and> deploy an ISA server in the DMZ and use Web Publishing or Server> Publishing> to get your external clients access to the site. If you want to open
> access> from the DMZ to your AD Forest your firewall will be swiss cheese from all> the ports than need to be open.>>>> If you absolutely HAVE to then I would prefer to look at using IPSec for
> communication between the Sharepoint box and your DC's. That leaves you> only>> needing the IPSec port open and not the very large number of ports to> support AD communication.>
>>> http://support.microsoft.com/kb/q179442/>>> Phil>>> On 9/7/05, Jason B wrote:>> Because this will be a sharepoint server for clients. Regardless, that> decision has already been made and I don't have any input into it.> Any info on the ports I'd need open?
>> ----- Original Message -----> From: "ASB" > To: >> Sent: Wednesday, September 07, 2005 8:45 AM> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with> AD & SQL...>>> Why did you decide to put it in the DMZ?>> -ASB>> On 9/7/05, Jason B wrote:>> We are putting a MS sharepoint server in the DMZ and need to have it on>> the>> domain and communicating with a SQL server on the domain. Because of>> these>> needs, we only want to open the minimum number of ports to get
>> functionality. We have LDAP (389) opened and SQL (1433) opened. What>> other>> ports will we need to open to be able to log in on the sharepoint server>> with a domain account? Currently, with only these two ports opened, a
>> domain account can't log on to the sharepoint server in the DMZ.> List info : http://www.activedir.org/List.aspx> List FAQ :
http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/> List info :
http://www.activedir.org/List.aspx> List FAQ : http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/>>>> List info : http://www.activedir.org/List.aspx> List FAQ :
http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>> List info :
http://www.activedir.org/List.aspx> List FAQ : http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/>List info : http://www.activedir.org/List.aspxList FAQ :
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| boulware_jason
Posts:2
| | 09/09/2005 6:16 AM |
| ADAM... I hadn't thought of that. I
remember reading a bit about it a while ago. I suppose I will have to take
a look at it. I wasn't jazzed about having to maintain an additional AD
infrastructure simply for extranet users.
For the ISA server, will it handle a lot of the
load for the extranet/sharepoint users, or will the bulk of the load remain on
the actual sharepoint server? I will need to know what kind of hardware
we're going to need to run ISA.
Thanks.
----- Original Message -----
From:
Phil Renouf
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Sent: Thursday, September 08, 2005 10:44
PM
Subject: Re: [ActiveDir] Which ports to
open in the DMZ to communicate with AD & SQL...
Al really gave you a good post about the pros and cons of each option,
but I just wanted to emphasize something to be sure it comes across: It is not
"just" a DMZ. A DMZ is a semi-trusted network and to me that means it is only
slightly better than the internet itself. I do everything I can to mitigate
any intrusions to DMZ boxes since they are internet facing and I can't trust
the internet. Yes there is another firewall in front of the DMZ, but a good
security admin knows that a firewall only protects you to a point.
Also, the last option of having the server on the internal network and
just providing access through the firewalls direct to it is a non-starter in
my view. You have moved the perimeter of your network from the edge/DMZ into
your internal network and that is not a risk I am willing to take. Much like
joe's advice in another thread, I would explain the risks until I am blue in
the face, then ask for a get out of jail free card for the inevitable
intrusion.
On another note; you mention loading the SP box as a DC in another
forest. I would prefer to look at loading an ADAM instance to handle the
external users instead of having a whole other AD infrastructure. ADAM is a
lot easier to manage and is intended for situations exactly like what you're
looking at.
Phil
On 9/8/05, Jason B
boulware_jason@xxxxxxxxxxx>
wrote:
Al,
Brian and others - thanks!I wasn't involved in the original plan for
setting this extranet up, but overheard talk about it and didn't like
the plans everyone else was makingfor my AD
infrastructure. So I jumped into the fray after all the
decisionshad been made and hardware/software purchased, but better late
than never. Originally, they wanted it set up with the SP server in the
DMZ and portsopened to the LAN to "make it work" talking to SQL and
AD. The plan hadthem putting extranet users and clients in
our internal AD domain and giving non-technical employees the ability to
add/remove clients from an OU. Badmojo.I was able to
convince them to allow me to set up the SP server as a DC in anew forest
so as to avoid putting the extranet users in our AD domain. That
was the "easy" part. Another SQL license is definitely not in
the budget,so that was an easy decision. Now, I am going to
try to convince them tomove the SP server into the LAN side, close the
ports from the DMZ to LAN and throw ISA server in the DMZ to serve up
the extranet clients. I think Ican get them to go for it with
some doom and gloom scenarios.Again, thanks for the suggestions and
advice.--Jason----- Original Message -----From: "Brian
Desmond" brian@xxxxxxxxxxxxxxxx>To:
ActiveDir@xxxxxxxxxxxxxxxxxx
>Sent: Thursday, September 08, 2005 3:14 PMSubject: RE:
[ActiveDir] Which ports to open in the DMZ to communicate withAD &
SQL...>I am, perhaps unfortunately, quite familiar with
Sharepoint. >> Your sharepoint server like any other member
server can be a member of one> domain. If your extranet users are in
a domain trusted by the server's> domain or another domain in the
forest, you can just service them with > multiple portals. You can
have up to I think its 50 portals per frontend.> Of> course, I
don't really recommend having your extranet accounts in your>
corp> forest...>> I used to have my sharepoint
environment sitting in a "DMZ" subnet. It was > hell dealing with the
spaghetti mess of ports on the checkpoints. Now we> have this special
subnet that the WAN people call the AD Load Balanced> subnet. It's a
class C that sits on the Cisco CSM and SSM modules in a > couple of
6509s. The subnet hangs off a PIX FWSM vlan interface, and they> have
all the ports for domain joined machines open from that subnet to
the> DCs. It's actually pretty easy. The Windows folks gave the WAN
folks a > comprehensive list of ports that need to be open for AD,
a/v, mgmt, etc,> and> they made PIX and Checkpoint rules for
that subnet. Now when we need to> load> balance anything
domain joined, the servers just go in this subnet, they > setup the
CSMs, and then the firewall people just have to add additional>
special rules (like connecting to SQL, for example).>>>
Thanks,> Brian Desmond> brian@xxxxxxxxxxxxxxxx>>
c - 312.731.3132>>>> -----Original
Message-----> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Jason B> Sent: Thursday, September 08, 2005 4:37
PM> To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate> with> AD & SQL...>> This has
been a GREAT discussion and I have received a lot of useful info. > I
really appreciate the replies, suggestions, slams and help. I
think I> am> going to revisit trying to have the sharepoint
server moved to the LAN and> see if I can't convince the powers that
be to apportion an ISA license and > hardware appropriate for running
ISA to put on the DMZ. We already have a> sharepoint
server on the LAN... I am not too familiar with
sharepoint,> but> I wonder if the existing sharepoint server
can handle both the internal > and> external
users... That's a question for another group, I
guess.>> Anyway, I gathered quite a bit from the posts and
discussion, but what are> the main specific and concrete points that
I am going to want to bring up > to>> dissuade them
from having the sharepoint server on the DMZ? My
expertiese> isn't in the hardware/networking aspect of configuration,
but I know> enough> that I am not comfortable opening all the
ports for AD auth from the DMZ > to> the LAN. Our
network admin didn't think that it was a big deal to open>
the> ports since it was "only on the DMZ" and he could control the
traffic that> was allowed to the DMZ. >>> -----
Original Message -----> From: "Al Mulnick" Alm@xxxxxxxxxxxxxxx>> To:
> Sent: Wednesday, September 07,
2005 5:04 PM> Subject: RE: [ActiveDir] Which ports to open in the DMZ
to communicate> with> AD & SQL...>>>
Looks like we have plenty of ideas and opinions ;)>> ISA is a
great way to deal with this, but I believe the decision was made>
to>> put the SP machine in the DMZ regardless of the technical
merit or > viability. And whether or not it is a good
idea. That said, ISA doesn't> offer much if you put it AND
this machine in a semi-trusted network (for> whatever that means
these days.)>> Shame there's no leeway though. The
downside to using IPSec is that as > others have pointed out, it
won't work on member server DC for W2K> servers (limitation
of the OS) but will for 2K3 member servers but that> still leaves you
with a secure channel from the DMZ host to your internal >
network. That means you can't monitor the traffic from the DMZ to
your> internal network because it's encrypted (sounds like a broken
record, I> know.)>> Too bad you can't sway the decision
makers to do this differently. But > hopefully you've received a lot
of ideas to pick from.>> Best of luck,>
Al>>>>
________________________________>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Bernard, Aric> Sent: Wed 9/7/2005 7:40 PM> To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with> AD & SQL...>>>> I
agree with Phil - I think using an ISA (or other reverse proxy
solution)> is the best way to go given your
constraints.>>> > Using a reverse proxy solution
allows you the following:>> 1. Keep you Sharepoint server
behind the firewall, yet make it accessible> to>>
external clients as if it was in the DMZ. > 2. Restrict your
[additional] holes through the firewall to only that>
needed>> by the reverse proxy solution to interact with the
Sharepoint server (port> 80).>>> > BTW -
this scenario is becoming extremely common. The next
common> addition> you will see to this will likely be the use
of ADFS to provide an identity> trust bridge between the internal
forest and a partner forest (or other > identity
system).>>>>
Regards,>>>> Aric
Bernard>>>>
________________________________>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Phil Renouf> Sent: Wednesday, September 07, 2005 9:20 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate> with> AD & SQL...>>
>> I would look at putting the Sharepoint server on the
internal network and> deploy an ISA server in the DMZ and use Web
Publishing or Server> Publishing> to get your external clients
access to the site. If you want to open > access> from the DMZ
to your AD Forest your firewall will be swiss cheese from all> the
ports than need to be open.>>>> If you
absolutely HAVE to then I would prefer to look at using IPSec for >
communication between the Sharepoint box and your DC's. That leaves
you> only>> needing the IPSec port open and not the
very large number of ports to> support AD communication.>
>>> http://support.microsoft.com/kb/q179442/>>>
Phil>>> On 9/7/05, Jason B boulware_jason@xxxxxxxxxxx>
wrote:>> Because this will be a sharepoint server for
clients. Regardless, that> decision has already been made
and I don't have any input into it.> Any info on the ports I'd need
open? >> ----- Original Message -----> From: "ASB"
> To:
ActiveDir@xxxxxxxxxxxxxxxxxx
ActiveDir@xxxxxxxxxxxxxxxxxx>
>> Sent: Wednesday, September 07, 2005 8:45 AM> Subject:
Re: [ActiveDir] Which ports to open in the DMZ to communicate >
with> AD & SQL...>>> Why did you decide to
put it in the DMZ?>> -ASB>> On 9/7/05, Jason B
wrote:>> We are putting a MS sharepoint server in the DMZ
and need to have it on>> the>> domain and communicating
with a SQL server on the domain. Because of>>
these>> needs, we only want to open the minimum number of ports to
get >> functionality. We have LDAP (389) opened and SQL
(1433) opened. What>> other>> ports will we
need to open to be able to log in on the sharepoint server>> with
a domain account? Currently, with only these two ports opened, a
>> domain account can't log on to the sharepoint server in the
DMZ.> List info : http://www.activedir.org/Listaspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>
List info : http://www.activedir.org/Listaspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>>>
List info : http://www.activedir.org/Listaspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>
List info : http://www.activedir.org/Listaspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>List
info : http://www.activedir.org/ListaspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| bdesmond
Posts:346
| | 09/09/2005 6:44 AM |
| I tend to doubt sharepoint will use that since it has to be a member server
of the forest the users are in. There™s no LDAP binding options¦
Thanks,
Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Jason B
Sent: Friday, September 09, 2005
2:14 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
ADAM... I hadn't thought of that. I remember
reading a bit about it a while ago. I suppose I will have to take a look
at it. I wasn't jazzed about having to maintain an additional AD
infrastructure simply for extranet users.
For the ISA server, will it handle a lot of the load for the
extranet/sharepoint users, or will the bulk of the load remain on the actual
sharepoint server? I will need to know what kind of hardware we're going
to need to run ISA.
Thanks.
----- Original Message -----
From: Phil Renouf
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Sent: Thursday,
September 08, 2005 10:44 PM
Subject: Re: [ActiveDir]
Which ports to open in the DMZ to communicate with AD & SQL...
Al really gave you a good post about the pros and cons of each option,
but I just wanted to emphasize something to be sure it comes across: It is not
"just" a DMZ. A DMZ is a semi-trusted network and to me that means it
is only slightly better than the internet itself. I do everything I can to
mitigate any intrusions to DMZ boxes since they are internet facing and I can't
trust the internet. Yes there is another firewall in front of the DMZ, but a
good security admin knows that a firewall only protects you to a point.
Also, the last option of having the server on the internal network and
just providing access through the firewalls direct to it is a non-starter in my
view. You have moved the perimeter of your network from the edge/DMZ into your
internal network and that is not a risk I am willing to take. Much like joe's
advice in another thread, I would explain the risks until I am blue in the
face, then ask for a get out of jail free card for the inevitable intrusion.
On another note; you mention loading the SP box as a DC in another
forest. I would prefer to look at loading an ADAM instance to handle the
external users instead of having a whole other AD infrastructure. ADAM is a lot
easier to manage and is intended for situations exactly like what you're
looking at.
Phil
On 9/8/05, Jason B
wrote:
Al, Brian and others - thanks!
I wasn't involved in the original plan for setting this extranet up, but
overheard talk about it and didn't like the plans everyone else was making
for my AD infrastructure. So I jumped into the fray after all the
decisions
had been made and hardware/software purchased, but better late than never.
Originally, they wanted it set up with the SP server in the DMZ and ports
opened to the LAN to "make it work" talking to SQL and
AD. The plan had
them putting extranet users and clients in our internal AD domain and giving
non-technical employees the ability to add/remove clients from an
OU. Bad
mojo.
I was able to convince them to allow me to set up the SP server as a DC in a
new forest so as to avoid putting the extranet users in our AD
domain. That
was the "easy" part. Another SQL license is definitely not
in the budget,
so that was an easy decision. Now, I am going to try to convince
them to
move the SP server into the LAN side, close the ports from the DMZ to LAN
and throw ISA server in the DMZ to serve up the extranet clients. I
think I
can get them to go for it with some doom and gloom scenarios.
Again, thanks for the suggestions and advice.
--Jason
----- Original Message -----
From: "Brian Desmond"
To:
Sent: Thursday, September 08, 2005 3:14 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
>I am, perhaps unfortunately, quite familiar with Sharepoint.
>
> Your sharepoint server like any other member server can be a member of one
> domain. If your extranet users are in a domain trusted by the server's
> domain or another domain in the forest, you can just service them with
> multiple portals. You can have up to I think its 50 portals per frontend.
> Of
> course, I don't really recommend having your extranet accounts in your
> corp
> forest...
>
> I used to have my sharepoint environment sitting in a "DMZ"
subnet. It was
> hell dealing with the spaghetti mess of ports on the checkpoints. Now we
> have this special subnet that the WAN people call the AD Load Balanced
> subnet. It's a class C that sits on the Cisco CSM and SSM modules in a
> couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and they
> have all the ports for domain joined machines open from that subnet to the
> DCs. It's actually pretty easy. The Windows folks gave the WAN folks a
> comprehensive list of ports that need to be open for AD, a/v, mgmt, etc,
> and
> they made PIX and Checkpoint rules for that subnet. Now when we need to
> load
> balance anything domain joined, the servers just go in this subnet, they
> setup the CSMs, and then the firewall people just have to add additional
> special rules (like connecting to SQL, for example).
>
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Jason B
> Sent: Thursday, September 08, 2005 4:37 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
> This has been a GREAT discussion and I have received a lot of useful info.
> I really appreciate the replies, suggestions, slams and help. I
think I
> am
> going to revisit trying to have the sharepoint server moved to the LAN and
> see if I can't convince the powers that be to apportion an ISA license and
> hardware appropriate for running ISA to put on the DMZ. We
already have a
> sharepoint server on the LAN... I am not too familiar with
sharepoint,
> but
> I wonder if the existing sharepoint server can handle both the internal
> and
> external users... That's a question for another group, I guess.
>
> Anyway, I gathered quite a bit from the posts and discussion, but what are
> the main specific and concrete points that I am going to want to bring up
> to
>
> dissuade them from having the sharepoint server on the DMZ? My
expertiese
> isn't in the hardware/networking aspect of configuration, but I know
> enough
> that I am not comfortable opening all the ports for AD auth from the DMZ
> to
> the LAN. Our network admin didn't think that it was a big deal
to open
> the
> ports since it was "only on the DMZ" and he could control the
traffic that
> was allowed to the DMZ.
>
>
> ----- Original Message -----
> From: "Al Mulnick"
> To:
> Sent: Wednesday, September 07, 2005 5:04 PM
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
> Looks like we have plenty of ideas and opinions ;)
>
> ISA is a great way to deal with this, but I believe the decision was made
> to
>
> put the SP machine in the DMZ regardless of the technical merit or
> viability. And whether or not it is a good idea. That said, ISA
doesn't
> offer much if you put it AND this machine in a semi-trusted network (for
> whatever that means these days.)
>
> Shame there's no leeway though. The downside to using IPSec is
that as
> others have pointed out, it won't work on member server DC for
W2K
> servers (limitation of the OS) but will for 2K3 member servers but that
> still leaves you with a secure channel from the DMZ host to your internal
> network. That means you can't monitor the traffic from the DMZ
to your
> internal network because it's encrypted (sounds like a broken record, I
> know.)
>
> Too bad you can't sway the decision makers to do this differently. But
> hopefully you've received a lot of ideas to pick from.
>
> Best of luck,
> Al
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Bernard, Aric
> Sent: Wed 9/7/2005 7:40 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
>
> I agree with Phil - I think using an ISA (or other reverse proxy solution)
> is the best way to go given your constraints.
>
>
>
> Using a reverse proxy solution allows you the following:
>
> 1. Keep you Sharepoint server behind the firewall, yet make it accessible
> to
>
> external clients as if it was in the DMZ.
> 2. Restrict your [additional] holes through the firewall to only that
> needed
>
> by the reverse proxy solution to interact with the Sharepoint server (port
> 80).
>
>
>
> BTW - this scenario is becoming extremely common. The next
common
> addition
> you will see to this will likely be the use of ADFS to provide an identity
> trust bridge between the internal forest and a partner forest (or other
> identity system).
>
> |
|
|