| Author | Messages | |
bdesmond
Posts:977
 | | 09/08/2005 11:05 AM |
| What kind of load are you looking at putting on this sharepoint server? A
Single server setup as you mentioned is not a very high powered setup...
What are you doing about the SQL? Sharepoint uses integrated auth for
connecting between servers.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
Sent: Thursday, September 08, 2005 6:56 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Al, Brian and others - thanks!
I wasn't involved in the original plan for setting this extranet up, but
overheard talk about it and didn't like the plans everyone else was making
for my AD infrastructure. So I jumped into the fray after all the decisions
had been made and hardware/software purchased, but better late than never.
Originally, they wanted it set up with the SP server in the DMZ and ports
opened to the LAN to "make it work" talking to SQL and AD. The plan had
them putting extranet users and clients in our internal AD domain and giving
non-technical employees the ability to add/remove clients from an OU. Bad
mojo.
I was able to convince them to allow me to set up the SP server as a DC in a
new forest so as to avoid putting the extranet users in our AD domain. That
was the "easy" part. Another SQL license is definitely not in the budget,
so that was an easy decision. Now, I am going to try to convince them to
move the SP server into the LAN side, close the ports from the DMZ to LAN
and throw ISA server in the DMZ to serve up the extranet clients. I think I
can get them to go for it with some doom and gloom scenarios.
Again, thanks for the suggestions and advice.
--Jason
----- Original Message -----
From: "Brian Desmond"
To:
Sent: Thursday, September 08, 2005 3:14 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
>I am, perhaps unfortunately, quite familiar with Sharepoint.
>
> Your sharepoint server like any other member server can be a member of one
> domain. If your extranet users are in a domain trusted by the server's
> domain or another domain in the forest, you can just service them with
> multiple portals. You can have up to I think its 50 portals per frontend.
> Of
> course, I don't really recommend having your extranet accounts in your
> corp
> forest...
>
> I used to have my sharepoint environment sitting in a "DMZ" subnet. It was
> hell dealing with the spaghetti mess of ports on the checkpoints. Now we
> have this special subnet that the WAN people call the AD Load Balanced
> subnet. It's a class C that sits on the Cisco CSM and SSM modules in a
> couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and they
> have all the ports for domain joined machines open from that subnet to the
> DCs. It's actually pretty easy. The Windows folks gave the WAN folks a
> comprehensive list of ports that need to be open for AD, a/v, mgmt, etc,
> and
> they made PIX and Checkpoint rules for that subnet. Now when we need to
> load
> balance anything domain joined, the servers just go in this subnet, they
> setup the CSMs, and then the firewall people just have to add additional
> special rules (like connecting to SQL, for example).
>
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
> Sent: Thursday, September 08, 2005 4:37 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
> This has been a GREAT discussion and I have received a lot of useful info.
> I really appreciate the replies, suggestions, slams and help. I think I
> am
> going to revisit trying to have the sharepoint server moved to the LAN and
> see if I can't convince the powers that be to apportion an ISA license and
> hardware appropriate for running ISA to put on the DMZ. We already have a
> sharepoint server on the LAN... I am not too familiar with sharepoint,
> but
> I wonder if the existing sharepoint server can handle both the internal
> and
> external users... That's a question for another group, I guess.
>
> Anyway, I gathered quite a bit from the posts and discussion, but what are
> the main specific and concrete points that I am going to want to bring up
> to
>
> dissuade them from having the sharepoint server on the DMZ? My expertiese
> isn't in the hardware/networking aspect of configuration, but I know
> enough
> that I am not comfortable opening all the ports for AD auth from the DMZ
> to
> the LAN. Our network admin didn't think that it was a big deal to open
> the
> ports since it was "only on the DMZ" and he could control the traffic that
> was allowed to the DMZ.
>
>
> ----- Original Message -----
> From: "Al Mulnick"
> To:
> Sent: Wednesday, September 07, 2005 5:04 PM
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
> Looks like we have plenty of ideas and opinions ;)
>
> ISA is a great way to deal with this, but I believe the decision was made
> to
>
> put the SP machine in the DMZ regardless of the technical merit or
> viability. And whether or not it is a good idea. That said, ISA doesn't
> offer much if you put it AND this machine in a semi-trusted network (for
> whatever that means these days.)
>
> Shame there's no leeway though. The downside to using IPSec is that as
> others have pointed out, it won't work on member server DC for W2K
> servers (limitation of the OS) but will for 2K3 member servers but that
> still leaves you with a secure channel from the DMZ host to your internal
> network. That means you can't monitor the traffic from the DMZ to your
> internal network because it's encrypted (sounds like a broken record, I
> know.)
>
> Too bad you can't sway the decision makers to do this differently. But
> hopefully you've received a lot of ideas to pick from.
>
> Best of luck,
> Al
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
> Sent: Wed 9/7/2005 7:40 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
>
> I agree with Phil - I think using an ISA (or other reverse proxy solution)
> is the best way to go given your constraints.
>
>
>
> Using a reverse proxy solution allows you the following:
>
> 1. Keep you Sharepoint server behind the firewall, yet make it accessible
> to
>
> external clients as if it was in the DMZ.
> 2. Restrict your [additional] holes through the firewall to only that
> needed
>
> by the reverse proxy solution to interact with the Sharepoint server (port
> 80).
>
>
>
> BTW - this scenario is becoming extremely common. The next common
> addition
> you will see to this will likely be the use of ADFS to provide an identity
> trust bridge between the internal forest and a partner forest (or other
> identity system).
>
>
>
> Regards,
>
>
>
> Aric Bernard
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
> Sent: Wednesday, September 07, 2005 9:20 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
>
> I would look at putting the Sharepoint server on the internal network and
> deploy an ISA server in the DMZ and use Web Publishing or Server
> Publishing
> to get your external clients access to the site. If you want to open
> access
> from the DMZ to your AD Forest your firewall will be swiss cheese from all
> the ports than need to be open.
>
>
>
> If you absolutely HAVE to then I would prefer to look at using IPSec for
> communication between the Sharepoint box and your DC's. That leaves you
> only
>
> needing the IPSec port open and not the very large number of ports to
> support AD communication.
>
>
>
> http://support.microsoft.com/kb/q179442/
>
>
> Phil
>
>
> On 9/7/05, Jason B wrote:
>
> Because this will be a sharepoint server for clients. Regardless, that
> decision has already been made and I don't have any input into it.
> Any info on the ports I'd need open?
>
> ----- Original Message -----
> From: "ASB"
> To: >
> Sent: Wednesday, September 07, 2005 8:45 AM
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
> Why did you decide to put it in the DMZ?
>
> -ASB
>
> On 9/7/05, Jason B wrote:
>> We are putting a MS sharepoint server in the DMZ and need to have it on
>> the
>> domain and communicating with a SQL server on the domain. Because of
>> these
>> needs, we only want to open the minimum number of ports to get
>> functionality. We have LDAP (389) opened and SQL (1433) opened. What
>> other
>> ports will we need to open to be able to log in on the sharepoint server
>> with a domain account? Currently, with only these two ports opened, a
>> domain account can't log on to the sharepoint server in the DMZ.
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| boulware_jason
Posts:4
| | 09/08/2005 11:41 AM |
| The SP server is a dual proc Xeon 3GHz w/4GB
RAM. That should be able to handle FAR more load than we - er, they
- plan to have on it.
For SQL, we'll have to create a trust for
now. While it would be better to have another SQL server in the new domain
and just replicate/silo the DB's between the SQL servers, the cost for another
SQL license will be too much to bear at this point. I fear that I am going
to have to make do with what we have in regards to hardware and software for
now, but I am hoping to be able to squeak out that ISA server.
----- Original Message -----
From: "Brian Desmond" brian@xxxxxxxxxxxxxxxx>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Sent: Thursday, September 08, 2005 4:04
PM
Subject: RE: [ActiveDir] Which ports to open in the
DMZ to communicate with AD & SQL...
> What kind of load are you looking at putting on this sharepoint
server? A> Single server setup as you mentioned is not a very high
powered setup...> > What are you doing about the SQL? Sharepoint
uses integrated auth for> connecting between servers. > >
Thanks,> Brian Desmond> brian@xxxxxxxxxxxxxxxx> > c - 312.731.3132> > >
> -----Original Message-----> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason
B> Sent: Thursday, September 08, 2005 6:56 PM> To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
with> AD & SQL...> > Al, Brian and others -
thanks!> > I wasn't involved in the original plan for setting this
extranet up, but > overheard talk about it and didn't like the plans
everyone else was making > for my AD infrastructure. So I jumped
into the fray after all the decisions> > had been made and
hardware/software purchased, but better late than never. > Originally,
they wanted it set up with the SP server in the DMZ and ports > opened to
the LAN to "make it work" talking to SQL and AD. The plan had >
them putting extranet users and clients in our internal AD domain and
giving> > non-technical employees the ability to add/remove
clients from an OU. Bad > mojo.> > I was able to
convince them to allow me to set up the SP server as a DC in a> >
new forest so as to avoid putting the extranet users in our AD domain.
That> > was the "easy" part. Another SQL license is
definitely not in the budget, > so that was an easy decision. Now,
I am going to try to convince them to > move the SP server into the LAN
side, close the ports from the DMZ to LAN > and throw ISA server in the
DMZ to serve up the extranet clients. I think I> > can get
them to go for it with some doom and gloom scenarios.> > Again,
thanks for the suggestions and advice.> > --Jason> >
----- Original Message ----- > From: "Brian Desmond" brian@xxxxxxxxxxxxxxxx>> To:
ActiveDir@xxxxxxxxxxxxxxxxxx>> Sent: Thursday, September 08, 2005 3:14 PM> Subject:
RE: [ActiveDir] Which ports to open in the DMZ to communicate with > AD
& SQL...> > >>I am, perhaps unfortunately, quite
familiar with Sharepoint.>>>> Your sharepoint server like
any other member server can be a member of one>> domain. If your
extranet users are in a domain trusted by the server's>> domain or
another domain in the forest, you can just service them with>>
multiple portals. You can have up to I think its 50 portals per frontend.
>> Of>> course, I don't really recommend having your
extranet accounts in your >> corp>>
forest...>>>> I used to have my sharepoint environment
sitting in a "DMZ" subnet. It was>> hell dealing with the spaghetti
mess of ports on the checkpoints. Now we>> have this special subnet
that the WAN people call the AD Load Balanced>> subnet. It's a class C
that sits on the Cisco CSM and SSM modules in a>> couple of 6509s. The
subnet hangs off a PIX FWSM vlan interface, and they>> have all the
ports for domain joined machines open from that subnet to the>> DCs.
It's actually pretty easy. The Windows folks gave the WAN folks a>>
comprehensive list of ports that need to be open for AD, a/v, mgmt, etc,
>> and>> they made PIX and Checkpoint rules for that subnet.
Now when we need to >> load>> balance anything domain
joined, the servers just go in this subnet, they>> setup the CSMs, and
then the firewall people just have to add additional>> special rules
(like connecting to SQL, for example).>>>>>>
Thanks,>> Brian Desmond>> brian@xxxxxxxxxxxxxxxx>>>> c -
312.731.3132>>>>>>>> -----Original
Message----->> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason
B>> Sent: Thursday, September 08, 2005 4:37 PM>> To:
ActiveDir@xxxxxxxxxxxxxxxxxx>> Subject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate >> with>> AD &
SQL...>>>> This has been a GREAT discussion and I have
received a lot of useful info.>> I really appreciate the replies,
suggestions, slams and help. I think I >> am>> going
to revisit trying to have the sharepoint server moved to the LAN and>>
see if I can't convince the powers that be to apportion an ISA license
and>> hardware appropriate for running ISA to put on the DMZ. We
already have a>> sharepoint server on the LAN... I am not too
familiar with sharepoint, >> but>> I wonder if the existing
sharepoint server can handle both the internal >> and>>
external users... That's a question for another group, I
guess.>>>> Anyway, I gathered quite a bit from the posts and
discussion, but what are>> the main specific and concrete points that
I am going to want to bring up >> to>>>> dissuade
them from having the sharepoint server on the DMZ? My
expertiese>> isn't in the hardware/networking aspect of configuration,
but I know >> enough>> that I am not comfortable opening all
the ports for AD auth from the DMZ >> to>> the LAN.
Our network admin didn't think that it was a big deal to open >>
the>> ports since it was "only on the DMZ" and he could control the
traffic that>> was allowed to the
DMZ.>>>>>> ----- Original Message -----
>> From: "Al Mulnick" Alm@xxxxxxxxxxxxxxx>>>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>>> Sent: Wednesday, September 07, 2005 5:04 PM>>
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
>> with>> AD &
SQL...>>>>>> Looks like we have plenty of ideas
and opinions ;)>>>> ISA is a great way to deal with this,
but I believe the decision was made >> to>>>> put
the SP machine in the DMZ regardless of the technical merit or>>
viability. And whether or not it is a good idea. That said, ISA
doesn't>> offer much if you put it AND this machine in a semi-trusted
network (for>> whatever that means these
days.)>>>> Shame there's no leeway though. The
downside to using IPSec is that as>> others have pointed out, it won't
work on member server DC for W2K>> servers (limitation of the
OS) but will for 2K3 member servers but that>> still leaves you with a
secure channel from the DMZ host to your internal>> network.
That means you can't monitor the traffic from the DMZ to your>>
internal network because it's encrypted (sounds like a broken record,
I>> know.)>>>> Too bad you can't sway the decision
makers to do this differently. But>> hopefully you've received a lot
of ideas to pick from.>>>> Best of luck,>>
Al>>>>>>>>
________________________________>>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Bernard, Aric>> Sent: Wed 9/7/2005 7:40 PM>> To:
ActiveDir@xxxxxxxxxxxxxxxxxx>> Subject: RE: [ActiveDir] Which ports to open in the DMZ to
communicate >> with>> AD &
SQL...>>>>>>>> I agree with Phil - I
think using an ISA (or other reverse proxy solution)>> is the best way
to go given your constraints.>>>>>>>>
Using a reverse proxy solution allows you the following:>>>>
1. Keep you Sharepoint server behind the firewall, yet make it accessible
>> to>>>> external clients as if it was in the
DMZ.>> 2. Restrict your [additional] holes through the firewall to
only that >> needed>>>> by the reverse proxy
solution to interact with the Sharepoint server (port>>
80).>>>>>>>> BTW - this scenario is
becoming extremely common. The next common >>
addition>> you will see to this will likely be the use of ADFS to
provide an identity>> trust bridge between the internal forest and a
partner forest (or other>> identity
system).>>>>>>>>
Regards,>>>>>>>> Aric
Bernard>>>>>>>>
________________________________>>>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil
Renouf>> Sent: Wednesday, September 07, 2005 9:20 AM>> To:
ActiveDir@xxxxxxxxxxxxxxxxxx>> Subject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate >> with>> AD &
SQL...>>>>>>>> I would look at putting
the Sharepoint server on the internal network and>> deploy an ISA
server in the DMZ and use Web Publishing or Server >>
Publishing>> to get your external clients access to the site. If you
want to open >> access>> from the DMZ to your AD Forest your
firewall will be swiss cheese from all>> the ports than need to be
open.>>>>>>>> If you absolutely HAVE to
then I would prefer to look at using IPSec for>> communication between
the Sharepoint box and your DC's. That leaves you >>
only>>>> needing the IPSec port open and not the very large
number of ports to>> support AD
communication.>>>>>>>> http://support.microsoft.com/kb/q179442/>>>>>> Phil>>>>>>
On 9/7/05, Jason B boulware_jason@xxxxxxxxxxx> wrote:>>>> Because this will be a sharepoint
server for clients. Regardless, that>> decision has already been
made and I don't have any input into it.>> Any info on the ports I'd
need open?>>>> ----- Original Message ----->>
From: "ASB" abaker@xxxxxxxxx>>> To:
ActiveDir@xxxxxxxxxxxxxxxxxx
mailto:ActiveDir@xxxxxxxxxxxxxxxxxx> >>> Sent: Wednesday, September 07, 2005 8:45
AM>> Subject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate >> with>> AD &
SQL...>>>>>> Why did you decide to put it in the
DMZ?>>>> -ASB>>>> On 9/7/05, Jason B
boulware_jason@xxxxxxxxxxx>
wrote:>>> We are putting a MS sharepoint server in the DMZ and need
to have it on>>> the>>> domain and communicating with
a SQL server on the domain. Because of>>>
these>>> needs, we only want to open the minimum number of ports to
get>>> functionality. We have LDAP (389) opened and SQL
(1433) opened. What>>> other>>> ports will we
need to open to be able to log in on the sharepoint server>>> with
a domain account? Currently, with only these two ports opened,
a>>> domain account can't log on to the sharepoint server in the
DMZ.>> List info : http://www.activedir.org/List.aspx>> List FAQ : http://www.activedir.org/ListFAQ.aspx>> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>> List info : http://www.activedir.org/List.aspx>> List FAQ : http://www.activedir.org/ListFAQ.aspx>> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>>>>>>> List
info : http://www.activedir.org/List.aspx>> List FAQ : http://www.activedir.org/ListFAQ.aspx>> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>>> List info : http://www.activedir.org/List.aspx>> List FAQ : http://www.activedir.org/ListFAQ.aspx>> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>> > List info : http://www.activedir.org/List.aspx> List FAQ : http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/> > List info : http://www.activedir.org/List.aspx> List FAQ : http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/> | | | |
| bdesmond
Posts:977
| | 09/08/2005 11:52 AM |
| That should suffice for a good while for hardware.
Thanks,
Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
Sent: Thursday, September 08, 2005
7:35 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
The SP server is a dual proc Xeon 3GHz w/4GB RAM. That
should be able to handle FAR more load than we - er, they - plan to
have on it.
For SQL, we'll have to create a trust for now. While
it would be better to have another SQL server in the new domain and just
replicate/silo the DB's between the SQL servers, the cost for another SQL
license will be too much to bear at this point. I fear that I am going to
have to make do with what we have in regards to hardware and software for now,
but I am hoping to be able to squeak out that ISA server.
----- Original Message -----
From: "Brian Desmond" brian@xxxxxxxxxxxxxxxx>
To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Sent: Thursday, September 08, 2005 4:04 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to
communicate with AD & SQL...
> What kind of load are you looking at putting on this
sharepoint server? A
> Single server setup as you mentioned is not a very high powered setup...
>
> What are you doing about the SQL? Sharepoint uses integrated auth for
> connecting between servers.
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
> Sent: Thursday, September 08, 2005 6:56 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
> AD & SQL...
>
> Al, Brian and others - thanks!
>
> I wasn't involved in the original plan for setting this extranet up, but
> overheard talk about it and didn't like the plans everyone else was making
> for my AD infrastructure. So I jumped into the fray after all the
decisions
>
> had been made and hardware/software purchased, but better late than never.
> Originally, they wanted it set up with the SP server in the DMZ and ports
> opened to the LAN to "make it work" talking to SQL and AD.
The plan had
> them putting extranet users and clients in our internal AD domain and
giving
>
> non-technical employees the ability to add/remove clients from an
OU. Bad
> mojo.
>
> I was able to convince them to allow me to set up the SP server as a DC in
a
>
> new forest so as to avoid putting the extranet users in our AD
domain. That
>
> was the "easy" part. Another SQL license is definitely not
in the budget,
> so that was an easy decision. Now, I am going to try to convince
them to
> move the SP server into the LAN side, close the ports from the DMZ to LAN
> and throw ISA server in the DMZ to serve up the extranet clients. I
think I
>
> can get them to go for it with some doom and gloom scenarios.
>
> Again, thanks for the suggestions and advice.
>
> --Jason
>
> ----- Original Message -----
> From: "Brian Desmond" brian@xxxxxxxxxxxxxxxx>
> To: ActiveDir@xxxxxxxxxxxxxxxxxx>
> Sent: Thursday, September 08, 2005 3:14 PM
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
with
> AD & SQL...
>
>
>>I am, perhaps unfortunately, quite familiar with Sharepoint.
>>
>> Your sharepoint server like any other member server can be a member of
one
>> domain. If your extranet users are in a domain trusted by the server's
>> domain or another domain in the forest, you can just service them with
>> multiple portals. You can have up to I think its 50 portals per
frontend.
>> Of
>> course, I don't really recommend having your extranet accounts in your
>> corp
>> forest...
>>
>> I used to have my sharepoint environment sitting in a "DMZ"
subnet. It was
>> hell dealing with the spaghetti mess of ports on the checkpoints. Now
we
>> have this special subnet that the WAN people call the AD Load Balanced
>> subnet. It's a class C that sits on the Cisco CSM and SSM modules in a
>> couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and
they
>> have all the ports for domain joined machines open from that subnet to
the
>> DCs. It's actually pretty easy. The Windows folks gave the WAN folks a
>> comprehensive list of ports that need to be open for AD, a/v, mgmt,
etc,
>> and
>> they made PIX and Checkpoint rules for that subnet. Now when we need
to
>> load
>> balance anything domain joined, the servers just go in this subnet,
they
>> setup the CSMs, and then the firewall people just have to add
additional
>> special rules (like connecting to SQL, for example).
>>
>>
>> Thanks,
>> Brian Desmond
>> brian@xxxxxxxxxxxxxxxx
>>
>> c - 312.731.3132
>>
>>
>>
>> -----Original Message-----
>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
>> Sent: Thursday, September 08, 2005 4:37 PM
>> To: ActiveDir@xxxxxxxxxxxxxxxxxx
>>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>> This has been a GREAT discussion and I have received a lot of useful
info.
>> I really appreciate the replies, suggestions, slams and help. I
think I
>> am
>> going to revisit trying to have the sharepoint server moved to the LAN
and
>> see if I can't convince the powers that be to apportion an ISA license
and
>> hardware appropriate for running ISA to put on the DMZ. We
already have a
>> sharepoint server on the LAN... I am not too familiar with
sharepoint,
>> but
>> I wonder if the existing sharepoint server can handle both the
internal
>> and
>> external users... That's a question for another group, I guess.
>>
>> Anyway, I gathered quite a bit from the posts and discussion, but what
are
>> the main specific and concrete points that I am going to want to bring
up
>> to
>>
>> dissuade them from having the sharepoint server on the DMZ? My
expertiese
>> isn't in the hardware/networking aspect of configuration, but I know
>> enough
>> that I am not comfortable opening all the ports for AD auth from the
DMZ
>> to
>> the LAN. Our network admin didn't think that it was a big deal
to open
>> the
>> ports since it was "only on the DMZ" and he could control
the traffic that
>> was allowed to the DMZ.
>>
>>
>> ----- Original Message -----
>> From: "Al Mulnick" Alm@xxxxxxxxxxxxxxx>
>> To: ActiveDir@xxxxxxxxxxxxxxxxxx>
>> Sent: Wednesday, September 07, 2005 5:04 PM
>> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>>
>> Looks like we have plenty of ideas and opinions ;)
>>
>> ISA is a great way to deal with this, but I believe the decision was
made
>> to
>>
>> put the SP machine in the DMZ regardless of the technical merit or
>> viability. And whether or not it is a good idea. That said, ISA
doesn't
>> offer much if you put it AND this machine in a semi-trusted network
(for
>> whatever that means these days.)
>>
>> Shame there's no leeway though. The downside to using IPSec is
that as
>> others have pointed out, it won't work on member server DC
for W2K
>> servers (limitation of the OS) but will for 2K3 member servers but
that
>> still leaves you with a secure channel from the DMZ host to your
internal
>> network. That means you can't monitor the traffic from the DMZ to
your
>> internal network because it's encrypted (sounds like a broken record,
I
>> know.)
>>
>> Too bad you can't sway the decision makers to do this differently. But
>> hopefully you've received a lot of ideas to pick from.
>>
>> Best of luck,
>> Al
>>
>>
>>
>> ________________________________
>>
>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf
of Bernard, Aric
>> Sent: Wed 9/7/2005 7:40 PM
>> To: ActiveDir@xxxxxxxxxxxxxxxxxx
>>
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>>
>>
>> I agree with Phil - I think using an ISA (or other reverse proxy solution)
>> is the best way to go given your constraints.
>>
>>
>>
>> Using a reverse proxy solution allows you the following:
>>
>> 1. Keep you Sharepoint server behind the firewall, yet make it
accessible
>> to
>>
>> external clients as if it was in the DMZ.
>> 2. Restrict your [additional] holes through the firewall to only that
>> needed
>>
>> by the reverse proxy solution to interact with the Sharepoint server
(port
>> 80).
>>
>>
>>
>> BTW - this scenario is becoming extremely common. The next common
>> addition
>> you will see to this will likely be the use of ADFS to provide an
identity
>> trust bridge between the internal forest and a partner forest (or
other
>> identity system).
>>
>>
>>
>> Regards,
>>
>>
>>
>> Aric Bernard
>>
>>
>>
>> ________________________________
>>
>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
>> Sent: Wednesday, September 07, 2005 9:20 AM
>> To: ActiveDir@xxxxxxxxxxxxxxxxxx
>>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>>
>>
>> I would look at putting the Sharepoint server on the internal network
and
>> deploy an ISA server in the DMZ and use Web Publishing or Server
>> Publishing
>> to get your external clients access to the site. If you want to open
>> access
>> from the DMZ to your AD Forest your
firewall will be swiss cheese from all
>> the ports than need to be open.
>>
>>
>>
>> If you absolutely HAVE to then I would prefer to look at using IPSec
for
>> communication between the Sharepoint box and your DC's. That leaves
you
>> only
>>
>> needing the IPSec port open and not the very large number of ports to
>> support AD communication.
>>
>>
>>
>> http://support.microsoft.com/kb/q179442/
>>
>>
>> Phil
>>
>>
>> On 9/7/05, Jason B boulware_jason@xxxxxxxxxxx> wrote:
>>
>> Because this will be a sharepoint server for clients.
Regardless, that
>> decision has already been made and I don't have any input into it.
>> Any info on the ports I'd need open?
>>
>> ----- Original Message -----
>> From: "ASB" abaker@xxxxxxxxx>
>> To: ActiveDir@xxxxxxxxxxxxxxxxxx mailto:ActiveDir@xxxxxxxxxxxxxxxxxx> >
>> Sent: Wednesday, September 07, 2005 8:45 AM
>> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
>> with
>> AD & SQL...
>>
>>
>> Why did you decide to put it in the DMZ?
>>
>> -ASB
>>
>> On 9/7/05, Jason B boulware_jason@xxxxxxxxxxx> wrote:
>>> We are putting a MS sharepoint server in the DMZ and need to have
it on
>>> the
>>> domain and communicating with a SQL server on the domain.
Because of
>>> these
>>> needs, we only want to open the minimum number of ports to get
>>> functionality. We have LDAP (389) opened and SQL (1433)
opened. What
>>> other
>>> ports will we need to open to be able to log in on the sharepoint
server
>>> with a domain account? Currently, with only these two ports
opened, a
>>> domain account can't log on to the sharepoint server in the DMZ.
>> List info : http://www.activedir.org/List.aspx
>>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
List info : http://www.activedir.org/List.aspx
>>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>
>> List info : http://www.activedir.org/List.aspx
>>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>> List info : http://www.activedir.org/List.aspx
>>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
> List info : http://www.activedir.org/List.aspx
>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| Alm@xxxx.yyy
| | 09/08/2005 12:07 PM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
Sent: Wed 9/7/2005 7:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
I agree with Phil - I think using an ISA (or other reverse proxy solution) is the best way to go given your constraints.
Using a reverse proxy solution allows you the following:
1. Keep you Sharepoint server behind the firewall, yet make it accessible to external clients as if it was in the DMZ.
2. Restrict your [additional] holes through the firewall to only that needed by the reverse proxy solution to interact with the Sharepoint server (port 80).
BTW - this scenario is becoming extremely common. The next common addition you will see to this will likely be the use of ADFS to provide an identity trust bridge between the internal forest and a partner forest (or other identity system).
Regards,
Aric Bernard
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, September 07, 2005 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to get your external clients access to the site. If you want to open access from the DMZ to your AD Forest your firewall will be swiss cheese from all the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's. That leaves you only needing the IPSec port open and not the very large number of ports to support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B wrote:
Because this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To: >
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433) opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| TonyTest
Posts:0
| | 09/08/2005 12:25 PM |
| Hi Phil
Here's the text I was referring to:
Currently, we do not support using IPSec to encrypt network traffic from
a domain member server to a domain controller when you apply the IPSec policies
by using Group Policy or when you use the Kerberos authentication method.
The goal with IPSec is to encrypt the traffic between the
two sides and with the scenario described below you would need Kerberos
authentication. Or have I missed something?
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil
RenoufSent: Thursday, 8 September 2005 11:02 a.m.To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Which ports to
open in the DMZ to communicate with AD & SQL...
Did I miss something in that article? I don't see where it says client >
DC via IPSec is not supported; just that you can't encrypt Kerberos
traffic.
Phil
On 9/7/05, Tony
Murray Tony.Murray@xxxxxxxxxxx>
wrote:
> If you absolutely HAVE to then I
would prefer to look at using IPSec for communication between the Sharepoint
box and your DC's
IPSec
would be good, but it isn't supported between member servers and
DCs.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil
RenoufSent: Thursday, 8 September 2005 4:20 a.m.To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network and
deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to
get your external clients access to the site. If you want to open access from
the DMZ to your AD Forest your firewall will be swiss cheese from all the
ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec for
communication between the Sharepoint box and your DC's. That leaves you only
needing the IPSec port open and not the very large number of ports to support
AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B
boulware_jason@xxxxxxxxxxx > wrote:
Because
this will be a sharepoint server for clients. Regardless,
thatdecision has already been made and I don't have any input into it.
Any info on the ports I'd need open?----- Original Message
-----From: "ASB" abaker@xxxxxxxxx
>To:
ActiveDir@xxxxxxxxxxxxxxxxxx>Sent: Wednesday, September 07, 2005
8:45 AM Subject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate withAD & SQL...Why did you decide to put it
in the DMZ? -ASBOn 9/7/05, Jason B
boulware_jason@xxxxxxxxxxx> wrote:> We are putting a MS
sharepoint server in the DMZ and need to have it on> the>
domain and communicating with a SQL server on the domain. Because
of> these > needs, we only want to open the minimum number of
ports to get> functionality. We have LDAP (389) opened and
SQL (1433) opened. What > other> ports will we need
to open to be able to log in on the sharepoint server > with a domain
account? Currently, with only these two ports opened, a>
domain account can't log on to the sharepoint server in the DMZ. List
info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List
info : http://www.activedir.org/List.aspx List
FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i Limited
This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i Limited | | | |
| aricbernard
Posts:4
| | 09/08/2005 12:29 PM |
| I should make sure I was clear “ in no
way did I encourage the placement of ISA AND the SharePoint server onto the
semi-trusted (DMZ) network. Again to clarify, the ISA server often (but not
always) resides in the semi-trusted network while the SharePoint server should
always reside on a fully-trusted network. The key benefit here is that
the only required configuration through the firewall to the internal network is
the web ports (i.e. 80, 443) necessary to allow proper communication between
the ISA server and the SharePoint server. If the ISA server were
compromised, however unlikely, the only path through the firewall to the
internal network would be via the web ports to the SharePoint server.
Another problem with the IPSec solution is
that if your SharePoint server in the DMZ is compromised (it is running IIS ;-)
the IPSec path it has through to the internal network will be compromised as
well. Of course this will then allow a potential hacker to ride the IPSec
tunnel straight to all of the systems/ports (i.e. 88, 123, 389, 3268, 3269, and
[god forbid] 135 and 445) you have configured the SharePoint server to
communicate with on the internal LAN. BTW I think you can configure IPSec
to work between clients/member servers and DCs so long as the correct
exceptions are in place or as long as you use certificates (which would be the best
approach if using it in the DMZ).
BTW, Jason, never say never. With
enough good arguments and still meeting the stated requirements you can
certainly change people™s opinions¦
Aric
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Wednesday, September 07,
2005 5:05 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
Looks like we have plenty of ideas and
opinions ;)
ISA is a great way to deal with this, but I believe the
decision was made to put the SP machine in the DMZ regardless of the technical
merit or viability. And whether or not it is a good idea. That said, ISA
doesn't offer much if you put it AND this machine in a semi-trusted network
(for whatever that means these days.)
Shame there's no leeway though. The downside to using
IPSec is that as others have pointed out, it won't work on member server
DC for W2K servers (limitation of the OS) but will for 2K3 member
servers but that still leaves you with a secure channel from the DMZ host to
your internal network. That means you can't monitor the traffic from the
DMZ to your internal network because it's encrypted (sounds like a broken
record, I know.)
Too bad you can't sway the decision makers to do this
differently. But hopefully you've received a lot of ideas to pick from.
Best of luck,
Al
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
Sent: Wed 9/7/2005 7:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
I agree with Phil “ I think using an
ISA (or other reverse proxy solution) is the best way to go given your
constraints.
Using a reverse proxy solution allows you
the following:
Keep
you Sharepoint server behind the firewall, yet make it accessible to
external clients as if it was in the DMZ.
Restrict
your [additional] holes through the firewall to only that needed by the
reverse proxy solution to interact with the Sharepoint server (port 80).
BTW - this scenario is becoming extremely
common. The next common addition you will see to this will likely be the
use of ADFS to provide an identity trust bridge between the internal forest and
a partner forest (or other identity system).
Regards,
Aric Bernard
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, September 07,
2005 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network
and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing
to get your external clients access to the site. If you want to open access
from the DMZ to your AD Forest your firewall
will be swiss cheese from all the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec
for communication between the Sharepoint box and your DC's. That leaves you
only needing the IPSec port open and not the very large number of ports to
support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B
wrote:
Because this will be a sharepoint server for
clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To:
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B
wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the
domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433)
opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports
opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| aricbernard
Posts:4
| | 09/08/2005 12:36 PM |
| The quote relates to when you are using Kerberos
as the method to setup the secure connection (ISAKMP). If you use certificated
then IPSec can be used end-to-end between clients/member servers and DCs.
Aric
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Tony Murray
Sent: Wednesday, September 07,
2005 5:24 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
Hi Phil
Here's the text I was referring to:
Currently, we do not support using IPSec
to encrypt network traffic from a domain member server to a domain controller
when you apply the IPSec policies by using Group Policy or when you use the
Kerberos authentication method.
The goal with IPSec is to encrypt the
traffic between the two sides and with the scenario described below you would
need Kerberos authentication. Or have I missed something?
Tony
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Thursday, 8 September 2005
11:02 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports
to open in the DMZ to communicate with AD & SQL...
Did I miss something in that article? I don't see where it says client
> DC via IPSec is not supported; just that you can't encrypt Kerberos
traffic.
Phil
On 9/7/05, Tony
Murray
wrote:
> If you absolutely HAVE to then I would prefer to look at
using IPSec for communication between the Sharepoint box and your DC's
IPSec would be good, but it isn't
supported between member servers and DCs.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Phil Renouf
Sent: Thursday, 8 September 2005
4:20 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re:
[ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network
and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing
to get your external clients access to the site. If you want to open access
from the DMZ to your AD Forest your firewall
will be swiss cheese from all the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec
for communication between the Sharepoint box and your DC's. That leaves you
only needing the IPSec port open and not the very large number of ports to
support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B
wrote:
Because this will be a sharepoint server for
clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To:
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B boulware_jason@xxxxxxxxxxx> wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the
domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433)
opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports
opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail message has been scanned for Viruses and Content and
cleared by NetIQ MailMarshal at Gen-i Limited
This e-mail message has been scanned for Viruses and Content and
cleared by NetIQ MailMarshal at Gen-i Limited | | | |
| Alm@xxxx.yyy
| | 09/09/2005 1:06 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Phil Renouf
Sent: Fri 9/9/2005 1:44 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Al really gave you a good post about the pros and cons of each option, but I just wanted to emphasize something to be sure it comes across: It is not "just" a DMZ. A DMZ is a semi-trusted network and to me that means it is only slightly better than the internet itself. I do everything I can to mitigate any intrusions to DMZ boxes since they are internet facing and I can't trust the internet. Yes there is another firewall in front of the DMZ, but a good security admin knows that a firewall only protects you to a point.
Also, the last option of having the server on the internal network and just providing access through the firewalls direct to it is a non-starter in my view. You have moved the perimeter of your network from the edge/DMZ into your internal network and that is not a risk I am willing to take. Much like joe's advice in another thread, I would explain the risks until I am blue in the face, then ask for a get out of jail free card for the inevitable intrusion.
On another note; you mention loading the SP box as a DC in another forest. I would prefer to look at loading an ADAM instance to handle the external users instead of having a whole other AD infrastructure. ADAM is a lot easier to manage and is intended for situations exactly like what you're looking at.
Phil
On 9/8/05, Jason B wrote:
Al, Brian and others - thanks!
I wasn't involved in the original plan for setting this extranet up, but
overheard talk about it and didn't like the plans everyone else was making
for my AD infrastructure. So I jumped into the fray after all the decisions
had been made and hardware/software purchased, but better late than never.
Originally, they wanted it set up with the SP server in the DMZ and ports
opened to the LAN to "make it work" talking to SQL and AD. The plan had
them putting extranet users and clients in our internal AD domain and giving
non-technical employees the ability to add/remove clients from an OU. Bad
mojo.
I was able to convince them to allow me to set up the SP server as a DC in a
new forest so as to avoid putting the extranet users in our AD domain. That
was the "easy" part. Another SQL license is definitely not in the budget,
so that was an easy decision. Now, I am going to try to convince them to
move the SP server into the LAN side, close the ports from the DMZ to LAN
and throw ISA server in the DMZ to serve up the extranet clients. I think I
can get them to go for it with some doom and gloom scenarios.
Again, thanks for the suggestions and advice.
--Jason
----- Original Message -----
From: "Brian Desmond"
To:
Sent: Thursday, September 08, 2005 3:14 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
>I am, perhaps unfortunately, quite familiar with Sharepoint.
>
> Your sharepoint server like any other member server can be a member of one
> domain. If your extranet users are in a domain trusted by the server's
> domain or another domain in the forest, you can just service them with
> multiple portals. You can have up to I think its 50 portals per frontend.
> Of
> course, I don't really recommend having your extranet accounts in your
> corp
> forest...
>
> I used to have my sharepoint environment sitting in a "DMZ" subnet. It was
> hell dealing with the spaghetti mess of ports on the checkpoints. Now we
> have this special subnet that the WAN people call the AD Load Balanced
> subnet. It's a class C that sits on the Cisco CSM and SSM modules in a
> couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and they
> have all the ports for domain joined machines open from that subnet to the
> DCs. It's actually pretty easy. The Windows folks gave the WAN folks a
> comprehensive list of ports that need to be open for AD, a/v, mgmt, etc,
> and
> they made PIX and Checkpoint rules for that subnet. Now when we need to
> load
> balance anything domain joined, the servers just go in this subnet, they
> setup the CSMs, and then the firewall people just have to add additional
> special rules (like connecting to SQL, for example).
>
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
> Sent: Thursday, September 08, 2005 4:37 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
> This has been a GREAT discussion and I have received a lot of useful info.
> I really appreciate the replies, suggestions, slams and help. I think I
> am
> going to revisit trying to have the sharepoint server moved to the LAN and
> see if I can't convince the powers that be to apportion an ISA license and
> hardware appropriate for running ISA to put on the DMZ. We already have a
> sharepoint server on the LAN... I am not too familiar with sharepoint,
> but
> I wonder if the existing sharepoint server can handle both the internal
> and
> external users... That's a question for another group, I guess.
>
> Anyway, I gathered quite a bit from the posts and discussion, but what are
> the main specific and concrete points that I am going to want to bring up
> to
>
> dissuade them from having the sharepoint server on the DMZ? My expertiese
> isn't in the hardware/networking aspect of configuration, but I know
> enough
> that I am not comfortable opening all the ports for AD auth from the DMZ
> to
> the LAN. Our network admin didn't think that it was a big deal to open
> the
> ports since it was "only on the DMZ" and he could control the traffic that
> was allowed to the DMZ.
>
>
> ----- Original Message -----
> From: "Al Mulnick"
> To: >
> Sent: Wednesday, September 07, 2005 5:04 PM
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
> Looks like we have plenty of ideas and opinions ;)
>
> ISA is a great way to deal with this, but I believe the decision was made
> to
>
> put the SP machine in the DMZ regardless of the technical merit or
> viability. And whether or not it is a good idea. That said, ISA doesn't
> offer much if you put it AND this machine in a semi-trusted network (for
> whatever that means these days.)
>
> Shame there's no leeway though. The downside to using IPSec is that as
> others have pointed out, it won't work on member server DC for W2K
> servers (limitation of the OS) but will for 2K3 member servers but that
> still leaves you with a secure channel from the DMZ host to your internal
> network. That means you can't monitor the traffic from the DMZ to your
> internal network because it's encrypted (sounds like a broken record, I
> know.)
>
> Too bad you can't sway the decision makers to do this differently. But
> hopefully you've received a lot of ideas to pick from.
>
> Best of luck,
> Al
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
> Sent: Wed 9/7/2005 7:40 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
>
> I agree with Phil - I think using an ISA (or other reverse proxy solution)
> is the best way to go given your constraints.
>
>
>
> Using a reverse proxy solution allows you the following:
>
> 1. Keep you Sharepoint server behind the firewall, yet make it accessible
> to
>
> external clients as if it was in the DMZ.
> 2. Restrict your [additional] holes through the firewall to only that
> needed
>
> by the reverse proxy solution to interact with the Sharepoint server (port
> 80).
>
>
>
> BTW - this scenario is becoming extremely common. The next common
> addition
> you will see to this will likely be the use of ADFS to provide an identity
> trust bridge between the internal forest and a partner forest (or other
> identity system).
>
>
>
> Regards,
>
>
>
> Aric Bernard
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
> Sent: Wednesday, September 07, 2005 9:20 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
>
> I would look at putting the Sharepoint server on the internal network and
> deploy an ISA server in the DMZ and use Web Publishing or Server
> Publishing
> to get your external clients access to the site. If you want to open
> access
> from the DMZ to your AD Forest your firewall will be swiss cheese from all
> the ports than need to be open.
>
>
>
> If you absolutely HAVE to then I would prefer to look at using IPSec for
> communication between the Sharepoint box and your DC's. That leaves you
> only
>
> needing the IPSec port open and not the very large number of ports to
> support AD communication.
>
>
>
> http://support.microsoft.com/kb/q179442/
>
>
> Phil
>
>
> On 9/7/05, Jason B > wrote:
>
> Because this will be a sharepoint server for clients. Regardless, that
> decision has already been made and I don't have any input into it.
> Any info on the ports I'd need open?
>
> ----- Original Message -----
> From: "ASB"
> To: >
> Sent: Wednesday, September 07, 2005 8:45 AM
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
> Why did you decide to put it in the DMZ?
>
> -ASB
>
> On 9/7/05, Jason B wrote:
>> We are putting a MS sharepoint server in the DMZ and need to have it on
>> the
>> domain and communicating with a SQL server on the domain. Because of
>> these
>> needs, we only want to open the minimum number of ports to get
>> functionality. We have LDAP (389) opened and SQL (1433) opened. What
>> other
>> ports will we need to open to be able to log in on the sharepoint server
>> with a domain account? Currently, with only these two ports opened, a
>> domain account can't log on to the sharepoint server in the DMZ.
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| prenouf
Posts:2
| | 09/09/2005 5:46 AM |
| Also, the last option of having the server on the internal network and just providing access through the firewalls direct to it is a non-starter in my view. You have moved the perimeter of your network from the edge/DMZ into your internal network and that is not a risk I am willing to take. Much like joe's advice in another thread, I would explain the risks until I am blue in the face, then ask for a get out of jail free card for the inevitable intrusion.
On another note; you mention loading the SP box as a DC in another forest. I would prefer to look at loading an ADAM instance to handle the external users instead of having a whole other AD infrastructure. ADAM is a lot easier to manage and is intended for situations exactly like what you're looking at.
Phil
On 9/8/05, Jason B wrote:
Al, Brian and others - thanks!I wasn't involved in the original plan for setting this extranet up, but
overheard talk about it and didn't like the plans everyone else was makingfor my AD infrastructure. So I jumped into the fray after all the decisionshad been made and hardware/software purchased, but better late than never.
Originally, they wanted it set up with the SP server in the DMZ and portsopened to the LAN to "make it work" talking to SQL and AD. The plan hadthem putting extranet users and clients in our internal AD domain and giving
non-technical employees the ability to add/remove clients from an OU. Badmojo.I was able to convince them to allow me to set up the SP server as a DC in anew forest so as to avoid putting the extranet users in our AD domain. That
was the "easy" part. Another SQL license is definitely not in the budget,so that was an easy decision. Now, I am going to try to convince them tomove the SP server into the LAN side, close the ports from the DMZ to LAN
and throw ISA server in the DMZ to serve up the extranet clients. I think Ican get them to go for it with some doom and gloom scenarios.Again, thanks for the suggestions and advice.--Jason
----- Original Message -----From: "Brian Desmond" To: Sent: Thursday, September 08, 2005 3:14 PMSubject: RE: [ActiveDir] Which ports to open in the DMZ to communicate withAD & SQL...>I am, perhaps unfortunately, quite familiar with Sharepoint.
>> Your sharepoint server like any other member server can be a member of one> domain. If your extranet users are in a domain trusted by the server's> domain or another domain in the forest, you can just service them with
> multiple portals. You can have up to I think its 50 portals per frontend.> Of> course, I don't really recommend having your extranet accounts in your> corp> forest...>> I used to have my sharepoint environment sitting in a "DMZ" subnet. It was
> hell dealing with the spaghetti mess of ports on the checkpoints. Now we> have this special subnet that the WAN people call the AD Load Balanced> subnet. It's a class C that sits on the Cisco CSM and SSM modules in a
> couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and they> have all the ports for domain joined machines open from that subnet to the> DCs. It's actually pretty easy. The Windows folks gave the WAN folks a
> comprehensive list of ports that need to be open for AD, a/v, mgmt, etc,> and> they made PIX and Checkpoint rules for that subnet. Now when we need to> load> balance anything domain joined, the servers just go in this subnet, they
> setup the CSMs, and then the firewall people just have to add additional> special rules (like connecting to SQL, for example).>>> Thanks,> Brian Desmond>
brian@xxxxxxxxxxxxxxxx>> c - 312.731.3132>>>> -----Original Message-----> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B> Sent: Thursday, September 08, 2005 4:37 PM> To:
ActiveDir@xxxxxxxxxxxxxxxxxx> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate> with> AD & SQL...>> This has been a GREAT discussion and I have received a lot of useful info.
> I really appreciate the replies, suggestions, slams and help. I think I> am> going to revisit trying to have the sharepoint server moved to the LAN and> see if I can't convince the powers that be to apportion an ISA license and
> hardware appropriate for running ISA to put on the DMZ. We already have a> sharepoint server on the LAN... I am not too familiar with sharepoint,> but> I wonder if the existing sharepoint server can handle both the internal
> and> external users... That's a question for another group, I guess.>> Anyway, I gathered quite a bit from the posts and discussion, but what are> the main specific and concrete points that I am going to want to bring up
> to>> dissuade them from having the sharepoint server on the DMZ? My expertiese> isn't in the hardware/networking aspect of configuration, but I know> enough> that I am not comfortable opening all the ports for AD auth from the DMZ
> to> the LAN. Our network admin didn't think that it was a big deal to open> the> ports since it was "only on the DMZ" and he could control the traffic that> was allowed to the DMZ.
>>> ----- Original Message -----> From: "Al Mulnick" > To: > Sent: Wednesday, September 07, 2005 5:04 PM> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate> with> AD & SQL...>>
> Looks like we have plenty of ideas and opinions ;)>> ISA is a great way to deal with this, but I believe the decision was made> to>> put the SP machine in the DMZ regardless of the technical merit or
> viability. And whether or not it is a good idea. That said, ISA doesn't> offer much if you put it AND this machine in a semi-trusted network (for> whatever that means these days.)>> Shame there's no leeway though. The downside to using IPSec is that as
> others have pointed out, it won't work on member server DC for W2K> servers (limitation of the OS) but will for 2K3 member servers but that> still leaves you with a secure channel from the DMZ host to your internal
> network. That means you can't monitor the traffic from the DMZ to your> internal network because it's encrypted (sounds like a broken record, I> know.)>> Too bad you can't sway the decision makers to do this differently. But
> hopefully you've received a lot of ideas to pick from.>> Best of luck,> Al>>>> ________________________________>> From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric> Sent: Wed 9/7/2005 7:40 PM> To: ActiveDir@xxxxxxxxxxxxxxxxxx> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with> AD & SQL...>>>> I agree with Phil - I think using an ISA (or other reverse proxy solution)> is the best way to go given your constraints.>>>
> Using a reverse proxy solution allows you the following:>> 1. Keep you Sharepoint server behind the firewall, yet make it accessible> to>> external clients as if it was in the DMZ.
> 2. Restrict your [additional] holes through the firewall to only that> needed>> by the reverse proxy solution to interact with the Sharepoint server (port> 80).>>>
> BTW - this scenario is becoming extremely common. The next common> addition> you will see to this will likely be the use of ADFS to provide an identity> trust bridge between the internal forest and a partner forest (or other
> identity system).>>>> Regards,>>>> Aric Bernard>>>> ________________________________>> From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf> Sent: Wednesday, September 07, 2005 9:20 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate> with> AD & SQL...>>
>> I would look at putting the Sharepoint server on the internal network and> deploy an ISA server in the DMZ and use Web Publishing or Server> Publishing> to get your external clients access to the site. If you want to open
> access> from the DMZ to your AD Forest your firewall will be swiss cheese from all> the ports than need to be open.>>>> If you absolutely HAVE to then I would prefer to look at using IPSec for
> communication between the Sharepoint box and your DC's. That leaves you> only>> needing the IPSec port open and not the very large number of ports to> support AD communication.>
>>> http://support.microsoft.com/kb/q179442/>>> Phil>>> On 9/7/05, Jason B wrote:>> Because this will be a sharepoint server for clients. Regardless, that> decision has already been made and I don't have any input into it.> Any info on the ports I'd need open?
>> ----- Original Message -----> From: "ASB" > To: >> Sent: Wednesday, September 07, 2005 8:45 AM> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with> AD & SQL...>>> Why did you decide to put it in the DMZ?>> -ASB>> On 9/7/05, Jason B wrote:>> We are putting a MS sharepoint server in the DMZ and need to have it on>> the>> domain and communicating with a SQL server on the domain. Because of>> these>> needs, we only want to open the minimum number of ports to get
>> functionality. We have LDAP (389) opened and SQL (1433) opened. What>> other>> ports will we need to open to be able to log in on the sharepoint server>> with a domain account? Currently, with only these two ports opened, a
>> domain account can't log on to the sharepoint server in the DMZ.> List info : http://www.activedir.org/List.aspx> List FAQ :
http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/> List info :
http://www.activedir.org/List.aspx> List FAQ : http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/>>>> List info : http://www.activedir.org/List.aspx> List FAQ :
http://www.activedir.org/ListFAQ.aspx> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>> List info :
http://www.activedir.org/List.aspx> List FAQ : http://www.activedir.org/ListFAQ.aspx> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/>List info : http://www.activedir.org/List.aspxList FAQ :
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| boulware_jason
Posts:4
| | 09/09/2005 6:16 AM |
| ADAM... I hadn't thought of that. I
remember reading a bit about it a while ago. I suppose I will have to take
a look at it. I wasn't jazzed about having to maintain an additional AD
infrastructure simply for extranet users.
For the ISA server, will it handle a lot of the
load for the extranet/sharepoint users, or will the bulk of the load remain on
the actual sharepoint server? I will need to know what kind of hardware
we're going to need to run ISA.
Thanks.
----- Original Message -----
From:
Phil Renouf
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Sent: Thursday, September 08, 2005 10:44
PM
Subject: Re: [ActiveDir] Which ports to
open in the DMZ to communicate with AD & SQL...
Al really gave you a good post about the pros and cons of each option,
but I just wanted to emphasize something to be sure it comes across: It is not
"just" a DMZ. A DMZ is a semi-trusted network and to me that means it is only
slightly better than the internet itself. I do everything I can to mitigate
any intrusions to DMZ boxes since they are internet facing and I can't trust
the internet. Yes there is another firewall in front of the DMZ, but a good
security admin knows that a firewall only protects you to a point.
Also, the last option of having the server on the internal network and
just providing access through the firewalls direct to it is a non-starter in
my view. You have moved the perimeter of your network from the edge/DMZ into
your internal network and that is not a risk I am willing to take. Much like
joe's advice in another thread, I would explain the risks until I am blue in
the face, then ask for a get out of jail free card for the inevitable
intrusion.
On another note; you mention loading the SP box as a DC in another
forest. I would prefer to look at loading an ADAM instance to handle the
external users instead of having a whole other AD infrastructure. ADAM is a
lot easier to manage and is intended for situations exactly like what you're
looking at.
Phil
On 9/8/05, Jason B
boulware_jason@xxxxxxxxxxx>
wrote:
Al,
Brian and others - thanks!I wasn't involved in the original plan for
setting this extranet up, but overheard talk about it and didn't like
the plans everyone else was makingfor my AD
infrastructure. So I jumped into the fray after all the
decisionshad been made and hardware/software purchased, but better late
than never. Originally, they wanted it set up with the SP server in the
DMZ and portsopened to the LAN to "make it work" talking to SQL and
AD. The plan hadthem putting extranet users and clients in
our internal AD domain and giving non-technical employees the ability to
add/remove clients from an OU. Badmojo.I was able to
convince them to allow me to set up the SP server as a DC in anew forest
so as to avoid putting the extranet users in our AD domain. That
was the "easy" part. Another SQL license is definitely not in
the budget,so that was an easy decision. Now, I am going to
try to convince them tomove the SP server into the LAN side, close the
ports from the DMZ to LAN and throw ISA server in the DMZ to serve up
the extranet clients. I think Ican get them to go for it with
some doom and gloom scenarios.Again, thanks for the suggestions and
advice.--Jason----- Original Message -----From: "Brian
Desmond" brian@xxxxxxxxxxxxxxxx>To:
ActiveDir@xxxxxxxxxxxxxxxxxx
>Sent: Thursday, September 08, 2005 3:14 PMSubject: RE:
[ActiveDir] Which ports to open in the DMZ to communicate withAD &
SQL...>I am, perhaps unfortunately, quite familiar with
Sharepoint. >> Your sharepoint server like any other member
server can be a member of one> domain. If your extranet users are in
a domain trusted by the server's> domain or another domain in the
forest, you can just service them with > multiple portals. You can
have up to I think its 50 portals per frontend.> Of> course, I
don't really recommend having your extranet accounts in your>
corp> forest...>> I used to have my sharepoint
environment sitting in a "DMZ" subnet. It was > hell dealing with the
spaghetti mess of ports on the checkpoints. Now we> have this special
subnet that the WAN people call the AD Load Balanced> subnet. It's a
class C that sits on the Cisco CSM and SSM modules in a > couple of
6509s. The subnet hangs off a PIX FWSM vlan interface, and they> have
all the ports for domain joined machines open from that subnet to
the> DCs. It's actually pretty easy. The Windows folks gave the WAN
folks a > comprehensive list of ports that need to be open for AD,
a/v, mgmt, etc,> and> they made PIX and Checkpoint rules for
that subnet. Now when we need to> load> balance anything
domain joined, the servers just go in this subnet, they > setup the
CSMs, and then the firewall people just have to add additional>
special rules (like connecting to SQL, for example).>>>
Thanks,> Brian Desmond> brian@xxxxxxxxxxxxxxxx>>
c - 312.731.3132>>>> -----Original
Message-----> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Jason B> Sent: Thursday, September 08, 2005 4:37
PM> To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate> with> AD & SQL...>> This has
been a GREAT discussion and I have received a lot of useful info. > I
really appreciate the replies, suggestions, slams and help. I
think I> am> going to revisit trying to have the sharepoint
server moved to the LAN and> see if I can't convince the powers that
be to apportion an ISA license and > hardware appropriate for running
ISA to put on the DMZ. We already have a> sharepoint
server on the LAN... I am not too familiar with
sharepoint,> but> I wonder if the existing sharepoint server
can handle both the internal > and> external
users... That's a question for another group, I
guess.>> Anyway, I gathered quite a bit from the posts and
discussion, but what are> the main specific and concrete points that
I am going to want to bring up > to>> dissuade them
from having the sharepoint server on the DMZ? My
expertiese> isn't in the hardware/networking aspect of configuration,
but I know> enough> that I am not comfortable opening all the
ports for AD auth from the DMZ > to> the LAN. Our
network admin didn't think that it was a big deal to open>
the> ports since it was "only on the DMZ" and he could control the
traffic that> was allowed to the DMZ. >>> -----
Original Message -----> From: "Al Mulnick" Alm@xxxxxxxxxxxxxxx>> To:
> Sent: Wednesday, September 07,
2005 5:04 PM> Subject: RE: [ActiveDir] Which ports to open in the DMZ
to communicate> with> AD & SQL...>>>
Looks like we have plenty of ideas and opinions ;)>> ISA is a
great way to deal with this, but I believe the decision was made>
to>> put the SP machine in the DMZ regardless of the technical
merit or > viability. And whether or not it is a good
idea. That said, ISA doesn't> offer much if you put it AND
this machine in a semi-trusted network (for> whatever that means
these days.)>> Shame there's no leeway though. The
downside to using IPSec is that as > others have pointed out, it
won't work on member server DC for W2K> servers (limitation
of the OS) but will for 2K3 member servers but that> still leaves you
with a secure channel from the DMZ host to your internal >
network. That means you can't monitor the traffic from the DMZ to
your> internal network because it's encrypted (sounds like a broken
record, I> know.)>> Too bad you can't sway the decision
makers to do this differently. But > hopefully you've received a lot
of ideas to pick from.>> Best of luck,>
Al>>>>
________________________________>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Bernard, Aric> Sent: Wed 9/7/2005 7:40 PM> To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with> AD & SQL...>>>> I
agree with Phil - I think using an ISA (or other reverse proxy
solution)> is the best way to go given your
constraints.>>> > Using a reverse proxy solution
allows you the following:>> 1. Keep you Sharepoint server
behind the firewall, yet make it accessible> to>>
external clients as if it was in the DMZ. > 2. Restrict your
[additional] holes through the firewall to only that>
needed>> by the reverse proxy solution to interact with the
Sharepoint server (port> 80).>>> > BTW -
this scenario is becoming extremely common. The next
common> addition> you will see to this will likely be the use
of ADFS to provide an identity> trust bridge between the internal
forest and a partner forest (or other > identity
system).>>>>
Regards,>>>> Aric
Bernard>>>>
________________________________>> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx>
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Phil Renouf> Sent: Wednesday, September 07, 2005 9:20 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx>
Subject: Re: [ActiveDir] Which ports to open in the DMZ to
communicate> with> AD & SQL...>>
>> I would look at putting the Sharepoint server on the
internal network and> deploy an ISA server in the DMZ and use Web
Publishing or Server> Publishing> to get your external clients
access to the site. If you want to open > access> from the DMZ
to your AD Forest your firewall will be swiss cheese from all> the
ports than need to be open.>>>> If you
absolutely HAVE to then I would prefer to look at using IPSec for >
communication between the Sharepoint box and your DC's. That leaves
you> only>> needing the IPSec port open and not the
very large number of ports to> support AD communication.>
>>> http://support.microsoft.com/kb/q179442/>>>
Phil>>> On 9/7/05, Jason B boulware_jason@xxxxxxxxxxx>
wrote:>> Because this will be a sharepoint server for
clients. Regardless, that> decision has already been made
and I don't have any input into it.> Any info on the ports I'd need
open? >> ----- Original Message -----> From: "ASB"
> To:
ActiveDir@xxxxxxxxxxxxxxxxxx
ActiveDir@xxxxxxxxxxxxxxxxxx>
>> Sent: Wednesday, September 07, 2005 8:45 AM> Subject:
Re: [ActiveDir] Which ports to open in the DMZ to communicate >
with> AD & SQL...>>> Why did you decide to
put it in the DMZ?>> -ASB>> On 9/7/05, Jason B
wrote:>> We are putting a MS sharepoint server in the DMZ
and need to have it on>> the>> domain and communicating
with a SQL server on the domain. Because of>>
these>> needs, we only want to open the minimum number of ports to
get >> functionality. We have LDAP (389) opened and SQL
(1433) opened. What>> other>> ports will we
need to open to be able to log in on the sharepoint server>> with
a domain account? Currently, with only these two ports opened, a
>> domain account can't log on to the sharepoint server in the
DMZ.> List info : http://www.activedir.org/Listaspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>
List info : http://www.activedir.org/Listaspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>>>
List info : http://www.activedir.org/Listaspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>>
List info : http://www.activedir.org/Listaspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/>List
info : http://www.activedir.org/ListaspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| bdesmond
Posts:977
| | 09/09/2005 6:44 AM |
| I tend to doubt sharepoint will use that since it has to be a member server
of the forest the users are in. There™s no LDAP binding options¦
Thanks,
Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Jason B
Sent: Friday, September 09, 2005
2:14 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
ADAM... I hadn't thought of that. I remember
reading a bit about it a while ago. I suppose I will have to take a look
at it. I wasn't jazzed about having to maintain an additional AD
infrastructure simply for extranet users.
For the ISA server, will it handle a lot of the load for the
extranet/sharepoint users, or will the bulk of the load remain on the actual
sharepoint server? I will need to know what kind of hardware we're going
to need to run ISA.
Thanks.
----- Original Message -----
From: Phil Renouf
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Sent: Thursday,
September 08, 2005 10:44 PM
Subject: Re: [ActiveDir]
Which ports to open in the DMZ to communicate with AD & SQL...
Al really gave you a good post about the pros and cons of each option,
but I just wanted to emphasize something to be sure it comes across: It is not
"just" a DMZ. A DMZ is a semi-trusted network and to me that means it
is only slightly better than the internet itself. I do everything I can to
mitigate any intrusions to DMZ boxes since they are internet facing and I can't
trust the internet. Yes there is another firewall in front of the DMZ, but a
good security admin knows that a firewall only protects you to a point.
Also, the last option of having the server on the internal network and
just providing access through the firewalls direct to it is a non-starter in my
view. You have moved the perimeter of your network from the edge/DMZ into your
internal network and that is not a risk I am willing to take. Much like joe's
advice in another thread, I would explain the risks until I am blue in the
face, then ask for a get out of jail free card for the inevitable intrusion.
On another note; you mention loading the SP box as a DC in another
forest. I would prefer to look at loading an ADAM instance to handle the
external users instead of having a whole other AD infrastructure. ADAM is a lot
easier to manage and is intended for situations exactly like what you're
looking at.
Phil
On 9/8/05, Jason B
wrote:
Al, Brian and others - thanks!
I wasn't involved in the original plan for setting this extranet up, but
overheard talk about it and didn't like the plans everyone else was making
for my AD infrastructure. So I jumped into the fray after all the
decisions
had been made and hardware/software purchased, but better late than never.
Originally, they wanted it set up with the SP server in the DMZ and ports
opened to the LAN to "make it work" talking to SQL and
AD. The plan had
them putting extranet users and clients in our internal AD domain and giving
non-technical employees the ability to add/remove clients from an
OU. Bad
mojo.
I was able to convince them to allow me to set up the SP server as a DC in a
new forest so as to avoid putting the extranet users in our AD
domain. That
was the "easy" part. Another SQL license is definitely not
in the budget,
so that was an easy decision. Now, I am going to try to convince
them to
move the SP server into the LAN side, close the ports from the DMZ to LAN
and throw ISA server in the DMZ to serve up the extranet clients. I
think I
can get them to go for it with some doom and gloom scenarios.
Again, thanks for the suggestions and advice.
--Jason
----- Original Message -----
From: "Brian Desmond"
To:
Sent: Thursday, September 08, 2005 3:14 PM
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
>I am, perhaps unfortunately, quite familiar with Sharepoint.
>
> Your sharepoint server like any other member server can be a member of one
> domain. If your extranet users are in a domain trusted by the server's
> domain or another domain in the forest, you can just service them with
> multiple portals. You can have up to I think its 50 portals per frontend.
> Of
> course, I don't really recommend having your extranet accounts in your
> corp
> forest...
>
> I used to have my sharepoint environment sitting in a "DMZ"
subnet. It was
> hell dealing with the spaghetti mess of ports on the checkpoints. Now we
> have this special subnet that the WAN people call the AD Load Balanced
> subnet. It's a class C that sits on the Cisco CSM and SSM modules in a
> couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and they
> have all the ports for domain joined machines open from that subnet to the
> DCs. It's actually pretty easy. The Windows folks gave the WAN folks a
> comprehensive list of ports that need to be open for AD, a/v, mgmt, etc,
> and
> they made PIX and Checkpoint rules for that subnet. Now when we need to
> load
> balance anything domain joined, the servers just go in this subnet, they
> setup the CSMs, and then the firewall people just have to add additional
> special rules (like connecting to SQL, for example).
>
>
> Thanks,
> Brian Desmond
> brian@xxxxxxxxxxxxxxxx
>
> c - 312.731.3132
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Jason B
> Sent: Thursday, September 08, 2005 4:37 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
> This has been a GREAT discussion and I have received a lot of useful info.
> I really appreciate the replies, suggestions, slams and help. I
think I
> am
> going to revisit trying to have the sharepoint server moved to the LAN and
> see if I can't convince the powers that be to apportion an ISA license and
> hardware appropriate for running ISA to put on the DMZ. We
already have a
> sharepoint server on the LAN... I am not too familiar with
sharepoint,
> but
> I wonder if the existing sharepoint server can handle both the internal
> and
> external users... That's a question for another group, I guess.
>
> Anyway, I gathered quite a bit from the posts and discussion, but what are
> the main specific and concrete points that I am going to want to bring up
> to
>
> dissuade them from having the sharepoint server on the DMZ? My
expertiese
> isn't in the hardware/networking aspect of configuration, but I know
> enough
> that I am not comfortable opening all the ports for AD auth from the DMZ
> to
> the LAN. Our network admin didn't think that it was a big deal
to open
> the
> ports since it was "only on the DMZ" and he could control the
traffic that
> was allowed to the DMZ.
>
>
> ----- Original Message -----
> From: "Al Mulnick"
> To:
> Sent: Wednesday, September 07, 2005 5:04 PM
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
> Looks like we have plenty of ideas and opinions ;)
>
> ISA is a great way to deal with this, but I believe the decision was made
> to
>
> put the SP machine in the DMZ regardless of the technical merit or
> viability. And whether or not it is a good idea. That said, ISA
doesn't
> offer much if you put it AND this machine in a semi-trusted network (for
> whatever that means these days.)
>
> Shame there's no leeway though. The downside to using IPSec is
that as
> others have pointed out, it won't work on member server DC for
W2K
> servers (limitation of the OS) but will for 2K3 member servers but that
> still leaves you with a secure channel from the DMZ host to your internal
> network. That means you can't monitor the traffic from the DMZ
to your
> internal network because it's encrypted (sounds like a broken record, I
> know.)
>
> Too bad you can't sway the decision makers to do this differently. But
> hopefully you've received a lot of ideas to pick from.
>
> Best of luck,
> Al
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Bernard, Aric
> Sent: Wed 9/7/2005 7:40 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
>
> I agree with Phil - I think using an ISA (or other reverse proxy solution)
> is the best way to go given your constraints.
>
>
>
> Using a reverse proxy solution allows you the following:
>
> 1. Keep you Sharepoint server behind the firewall, yet make it accessible
> to
>
> external clients as if it was in the DMZ.
> 2. Restrict your [additional] holes through the firewall to only that
> needed
>
> by the reverse proxy solution to interact with the Sharepoint server (port
> 80).
>
>
>
> BTW - this scenario is becoming extremely common. The next
common
> addition
> you will see to this will likely be the use of ADFS to provide an identity
> trust bridge between the internal forest and a partner forest (or other
> identity system).
>
>
>
> Regards,
>
>
>
> Aric Bernard
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Phil Renouf
> Sent: Wednesday, September 07, 2005 9:20 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
>
> I would look at putting the Sharepoint server on the internal network and
> deploy an ISA server in the DMZ and use Web Publishing or Server
> Publishing
> to get your external clients access to the site. If you want to open
> access
> from the DMZ to your AD Forest your
firewall will be swiss cheese from all
> the ports than need to be open.
>
>
>
> If you absolutely HAVE to then I would prefer to look at using IPSec for
> communication between the Sharepoint box and your DC's. That leaves you
> only
>
> needing the IPSec port open and not the very large number of ports to
> support AD communication.
>
>
>
> http://support.microsoft.com/kb/q179442/
>
>
> Phil
>
>
> On 9/7/05, Jason B wrote:
>
> Because this will be a sharepoint server for
clients. Regardless, that
> decision has already been made and I don't have any input into it.
> Any info on the ports I'd need open?
>
> ----- Original Message -----
> From: "ASB"
> To:
>
> Sent: Wednesday, September 07, 2005 8:45 AM
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with
> AD & SQL...
>
>
> Why did you decide to put it in the DMZ?
>
> -ASB
>
> On 9/7/05, Jason B wrote:
>> We are putting a MS sharepoint server in the DMZ and need to have it
on
>> the
>> domain and communicating with a SQL server on the
domain. Because of
>> these
>> needs, we only want to open the minimum number of ports to get
>> functionality. We have LDAP (389) opened and SQL (1433)
opened. What
>> other
>> ports will we need to open to be able to log in on the sharepoint
server
>> with a domain account? Currently, with only these two ports
opened, a
>> domain account can't log on to the sharepoint server in the DMZ.
> List info : http://www.activedir.org/Listaspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/Listaspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
> List info : http://www.activedir.org/Listaspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/Listaspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/Listaspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| prenouf
Posts:2
| | 09/09/2005 8:10 AM |
| If you look at the sophistication of the majority of attacks, it's not very high. Most attacks you are going to get are script kiddies and although the potential is there that if they compromise a box in your DMZ they could continue their attack on your internal network via the ports you have open on the DMZ firewall, the likelyhood that they will get anywhere but the DMZ is pretty slim. Those script kiddies had an exploit that happened to work on your web server, but chances are your webserver is connecting to a different type of server on the backend so that same exploit just won't help them get any further. To me that makes the DMZ worth the effort since that will likely stop the majority of attacks from reaching your internal network.
If you get attacked by someone with a higher level of sophistication then you'll only be slowing them down. but if you have a well tuned IDS/IPS then that extra time may have given you enough time to be notified of the attack and try to do something about it, even if that is just unplugging the firewall to contain them.
A DMZ is definitely not the be-all end-all for security that it was once touted as, but I still think it is an important piece in the security puzzle. If you are a small company and can't afford a DMZ then I guess you would have to focus your efforts on other mitigation scenarios.
This was just a quick response, if you want more of an explanation of my view on DMZ's I'll try again on Monday :)
Phil
On 9/9/05, Al Mulnick wrote:
Not to beat a dead horse, but I'm insanely and incurably curious.I think it's safe to say that the decisions and solution were decided before the technical stakeholders made the scene. That leaves Jason in a bad spot as he now has to a) be the bad guy and b) clean up other people's messes and c) do so without a budget. To be successful, somebody has to get their feelings hurt and it's likely a manager somewhere who shot first and aimed later if at all. As if that situation would ever happen, right?
But what I'm really curious about was your comment about the DMZ vs. the internet vs. the trusted network. I tend to agree with you Phil, however it's worth noting that there are MANY schools of thought when it comes to security strategy. One such theory holds that there is no need for a DMZ any longer. The reasons given range, but basically boil down to the part about it really only taking one network port to gain access to your entire network.
As I understand a DMZ topology, the idea is to have a semi-trusted network that acts as a go-between for trusted and non-trusted communications where the non-trusted entity talks to the DMZ host (semi-trusted entity), who then relays that communication to the internal host and then reverses the conversation. To be effective, it usually doesn't do for the DMZ host to be able to have write access or unrestricted access to the internal network therefore a firewall is used to control the traffic as desired, historically based on traffic type and destination but recently based more on intent (layer-7). The reason folks don't think a DMZ is needed any longer is because the only thing standing between a successful attack and your night's rest is that DMZ host OS in many cases. If that host is compromised, you run the risk that somebody will now have access to internal resources.
The practical difference between that DMZ host and allowing access to the internal network directly is that if somebody compromised your internal host, they'd typically have a lot fewer restrictions on where they could go on the wire vs. having a firewall that *could* be used to restrict access. Here's the thing: in order for the DMZ firewalls to be effective, something needs to trigger the lockdown. What would that be in this scenario? The final solution will likely use SSL or some other form of encryption for the transmission. At that point, your firewall is useless unless you are manually tipped off there's a problem or you have some sort of SSL bridging technology and some IDS plugged into the conversation that's properly tuned etc. If you don't (think ISA as your SSL bridging device in this case) then there's really about 5 minutes difference between the DMZ host scenario and the allowing untrusted traffic to the internal host scenario in the event of a compromise. This is the type of thinking behind the concept of protecting your resources regardless of location FWIW.
For my money, it's all about risk vs. reward. You should not allow any host to have access to your valuables if you can't afford to lose them or if the reward is less than the cost of protecting that resource sufficiently regardless of network location Ώ]. Some crazy people think you should have an inventory of your resources and a stated security evaluation plan in place prior to architecting anything. Crazy people.
Phil, what're your thoughts on the DMZ scenario given some of the other schools of thought? Do you agree, disagree, ? Any reasons?
Ώ] Like I was saying above, this is where people come up with the idea that many attacks come from internal resources etc. Figuring out the risk/reward/value is a large part of the security process that is often overlooked in architecture discussions IMHO ΐ].
ΐ] I'm not a security expert, but I sometimes play one on the internet :)________________________________From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Phil RenoufSent: Fri 9/9/2005 1:44 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Al really gave you a good post about the pros and cons of each option, but I just wanted to emphasize something to be sure it comes across: It is not "just" a DMZ. A DMZ is a semi-trusted network and to me that means it is only slightly better than the internet itself. I do everything I can to mitigate any intrusions to DMZ boxes since they are internet facing and I can't trust the internet. Yes there is another firewall in front of the DMZ, but a good security admin knows that a firewall only protects you to a point.
Also, the last option of having the server on the internal network and just providing access through the firewalls direct to it is a non-starter in my view. You have moved the perimeter of your network from the edge/DMZ into your internal network and that is not a risk I am willing to take. Much like joe's advice in another thread, I would explain the risks until I am blue in the face, then ask for a get out of jail free card for the inevitable intrusion.
On another note; you mention loading the SP box as a DC in another forest. I would prefer to look at loading an ADAM instance to handle the external users instead of having a whole other AD infrastructure. ADAM is a lot easier to manage and is intended for situations exactly like what you're looking at.
PhilOn 9/8/05, Jason B wrote: Al, Brian and others - thanks! I wasn't involved in the original plan for setting this extranet up, but
overheard talk about it and didn't like the plans everyone else was making for my AD infrastructure. So I jumped into the fray after all the decisions had been made and hardware/software purchased, but better late than never.
Originally, they wanted it set up with the SP server in the DMZ and ports opened to the LAN to "make it work" talking to SQL and AD. The plan had them putting extranet users and clients in our internal AD domain and giving
non-technical employees the ability to add/remove clients from an OU. Bad mojo. I was able to convince them to allow me to set up the SP server as a DC in a new forest so as to avoid putting the extranet users in our AD domain. That
was the "easy" part. Another SQL license is definitely not in the budget, so that was an easy decision. Now, I am going to try to convince them to move the SP server into the LAN side, close the ports from the DMZ to LAN
and throw ISA server in the DMZ to serve up the extranet clients. I think I can get them to go for it with some doom and gloom scenarios. Again, thanks for the suggestions and advice.
--Jason ----- Original Message ----- From: "Brian Desmond" To: Sent: Thursday, September 08, 2005 3:14 PM Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL... >I am, perhaps unfortunately, quite familiar with Sharepoint.
> > Your sharepoint server like any other member server can be a member of one > domain. If your extranet users are in a domain trusted by the server's > domain or another domain in the forest, you can just service them with
> multiple portals. You can have up to I think its 50 portals per frontend. > Of > course, I don't really recommend having your extranet accounts in your > corp > forest...
> > I used to have my sharepoint environment sitting in a "DMZ" subnet. It was > hell dealing with the spaghetti mess of ports on the checkpoints. Now we > have this special subnet that the WAN people call the AD Load Balanced
> subnet. It's a class C that sits on the Cisco CSM and SSM modules in a > couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and they > have all the ports for domain joined machines open from that subnet to the
> DCs. It's actually pretty easy. The Windows folks gave the WAN folks a > comprehensive list of ports that need to be open for AD, a/v, mgmt, etc, > and > they made PIX and Checkpoint rules for that subnet. Now when we need to
> load > balance anything domain joined, the servers just go in this subnet, they > setup the CSMs, and then the firewall people just have to add additional > special rules (like connecting to SQL, for example).
> > > Thanks, > Brian Desmond > brian@xxxxxxxxxxxxxxxx > > c - 312.731.3132 >
> > > -----Original Message----- > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx > [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B > Sent: Thursday, September 08, 2005 4:37 PM > To: ActiveDir@xxxxxxxxxxxxxxxxxx > Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> with > AD & SQL... > > This has been a GREAT discussion and I have received a lot of useful info. > I really appreciate the replies, suggestions, slams and help. I think I
> am > going to revisit trying to have the sharepoint server moved to the LAN and > see if I can't convince the powers that be to apportion an ISA license and > hardware appropriate for running ISA to put on the DMZ. We already have a
> sharepoint server on the LAN... I am not too familiar with sharepoint, > but > I wonder if the existing sharepoint server can handle both the internal > and > external users... That's a question for another group, I guess.
> > Anyway, I gathered quite a bit from the posts and discussion, but what are > the main specific and concrete points that I am going to want to bring up > to >
> dissuade them from having the sharepoint server on the DMZ? My expertiese > isn't in the hardware/networking aspect of configuration, but I know > enough > that I am not comfortable opening all the ports for AD auth from the DMZ
> to > the LAN. Our network admin didn't think that it was a big deal to open > the > ports since it was "only on the DMZ" and he could control the traffic that
> was allowed to the DMZ. > > > ----- Original Message ----- > From: "Al Mulnick" > To: > > Sent: Wednesday, September 07, 2005 5:04 PM
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate > with > AD & SQL... > > > Looks like we have plenty of ideas and opinions ;)
> > ISA is a great way to deal with this, but I believe the decision was made > to > > put the SP machine in the DMZ regardless of the technical merit or
> viability. And whether or not it is a good idea. That said, ISA doesn't > offer much if you put it AND this machine in a semi-trusted network (for > whatever that means these days.)
> > Shame there's no leeway though. The downside to using IPSec is that as > others have pointed out, it won't work on member server DC for W2K > servers (limitation of the OS) but will for 2K3 member servers but that
> still leaves you with a secure channel from the DMZ host to your internal > network. That means you can't monitor the traffic from the DMZ to your > internal network because it's encrypted (sounds like a broken record, I
> know.) > > Too bad you can't sway the decision makers to do this differently. But > hopefully you've received a lot of ideas to pick from. > > Best of luck,
> Al > > > > ________________________________ > > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Bernard, Aric > Sent: Wed 9/7/2005 7:40 PM > To: ActiveDir@xxxxxxxxxxxxxxxxxx > Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> with > AD & SQL... > > > > I agree with Phil - I think using an ISA (or other reverse proxy solution) > is the best way to go given your constraints.
> > > > Using a reverse proxy solution allows you the following: > > 1. Keep you Sharepoint server behind the firewall, yet make it accessible
> to > > external clients as if it was in the DMZ. > 2. Restrict your [additional] holes through the firewall to only that > needed > > by the reverse proxy solution to interact with the Sharepoint server (port
> 80). > > > > BTW - this scenario is becoming extremely common. The next common > addition > you will see to this will likely be the use of ADFS to provide an identity
> trust bridge between the internal forest and a partner forest (or other > identity system). > > > > Regards, > >
> > Aric Bernard > > > > ________________________________ > > From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf > Sent: Wednesday, September 07, 2005 9:20 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx > Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate > with > AD & SQL...
> > > > I would look at putting the Sharepoint server on the internal network and > deploy an ISA server in the DMZ and use Web Publishing or Server > Publishing
> to get your external clients access to the site. If you want to open > access > from the DMZ to your AD Forest your firewall will be swiss cheese from all > the ports than need to be open.
> > > > If you absolutely HAVE to then I would prefer to look at using IPSec for > communication between the Sharepoint box and your DC's. That leaves you
> only > > needing the IPSec port open and not the very large number of ports to > support AD communication. > > > >
http://support.microsoft.com/kb/q179442/ > > > Phil > > > On 9/7/05, Jason B > wrote: > > Because this will be a sharepoint server for clients. Regardless, that > decision has already been made and I don't have any input into it.
> Any info on the ports I'd need open? > > ----- Original Message ----- > From: "ASB" > To: > > Sent: Wednesday, September 07, 2005 8:45 AM
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate > with > AD & SQL... > > > Why did you decide to put it in the DMZ?
> > -ASB > > On 9/7/05, Jason B wrote: >> We are putting a MS sharepoint server in the DMZ and need to have it on
>> the >> domain and communicating with a SQL server on the domain. Because of >> these >> needs, we only want to open the minimum number of ports to get
>> functionality. We have LDAP (389) opened and SQL (1433) opened. What >> other >> ports will we need to open to be able to log in on the sharepoint server >> with a domain account? Currently, with only these two ports opened, a
>> domain account can't log on to the sharepoint server in the DMZ. > List info : http://www.activedir.org/List.aspx > List FAQ :
http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info :
http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info :
http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000928
Posts:0
| | 09/09/2005 9:15 AM |
| Well stated, Al.
To re-emphasize a general principle you appear to be making: If one is
not going to choose the most secure path possible, then at least try
to keep it simple. Adding complexity without increasing security (as
in options 2 or 3), is more of a drawback for those who have to
maintain the environment.
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On 9/8/05, Al Mulnick wrote:
> Option #1
> Procure and deploy ISA as an application publishing device. Note: investigate the appliance versions - Way cool.
> Pros: recommended method for publishing trusted network resources to non-trusted or semi-trusted networks; only requires one easily monitored network port to allow communications (TCP 80); can bridge SSL conversations for additional protection options; etc
> Cons: additional hardware/software to deploy and support
>
> Option #2
> Procure and deploy a second Sharepoint server in the DMZ. Allow two-way communication between DMZ host to domain controllers, DNS, and SQL as if it were a trusted resource.
> Pros: easily done with current software and hardware expertise
> Cons: Solution provides high risk of being hacked; Solution provides high impact if hacked because the hacker has full run of the trusted servers from the semi-trusted servers. DMZ servers tend to not be watched as well as trusted hosts. Complex solution that requires a lot of moving parts causing higher impact to problem resolution should the need arise. Also impacts upgrade process should it be needed. In the final analysis, this would also likely not be in line with the company security policy. If it is in line with it, you may want to fish around for a new CSO as there may soon be a vacancy :)
>
> Option #3
> Procure and deploy a second SP server in the dmz and connect it back via IPSec tunnel to trusted network.
> Pros: easier to set up with fewer network ports to allow
> Cons: See Option #2 cons. Add to that the inability to monitor any of the conversation between the DMZ sp host and the trusted network hosts thereby allowing an attacker the ability to freely move around the network without being detected by IDSes. The list goes on...
>
> Option #4
> Allow external semi-trusted traffic to penetrate the hard candy shell of your network to access SP resources on the trusted network via SSL or TCP80 traffic.
> Pros: easily allowed without any further modification to internal systems; increased reliability due to simplicity could be realized.
> Cons: See cons for #3, #2 and add: The potential impact of a breach would be severly critical because in addition to the specified trusted hosts that solution #2 would allow, the attacker would have unrestricted (even trusted) access to any system left out on your trusted network without having to hack another machine to do so. (Keep in mind that an attacker could gain control of the DMZ host, then the DC, then have the same access, but we're talking about risk management; security is never perfect.)
>
>
>
> If you can't persuade them to go with option #1, then perhaps it would make more sense for them to go ahead and just go with option #4 as it would at least be more reliable.
>
> My $0.04 anyway. I'm sure there's something that can be added/modified but this would be my first pass (rather, it has been a first pass in the past for other applications :)
>
> Keep in mind that it all comes back to your seucurity policy and I highly encourage you to find out what that is and how this fits vs. listening to the network administrator. Unless that's the same person in which case you may want to just go with whatever is easier to support for you in the long run (just kidding).
>
> Al
>
>
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Jason B
> Sent: Thu 9/8/2005 4:37 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
>
>
>
> This has been a GREAT discussion and I have received a lot of useful info.
> I really appreciate the replies, suggestions, slams and help. I think I am
> going to revisit trying to have the sharepoint server moved to the LAN and
> see if I can't convince the powers that be to apportion an ISA license and
> hardware appropriate for running ISA to put on the DMZ. We already have a
> sharepoint server on the LAN... I am not too familiar with sharepoint, but
> I wonder if the existing sharepoint server can handle both the internal and
> external users... That's a question for another group, I guess.
>
> Anyway, I gathered quite a bit from the posts and discussion, but what are
> the main specific and concrete points that I am going to want to bring up to
> dissuade them from having the sharepoint server on the DMZ? My expertiese
> isn't in the hardware/networking aspect of configuration, but I know enough
> that I am not comfortable opening all the ports for AD auth from the DMZ to
> the LAN. Our network admin didn't think that it was a big deal to open the
> ports since it was "only on the DMZ" and he could control the traffic that
> was allowed to the DMZ.
>
>
> ----- Original Message -----
> From: "Al Mulnick"
> To:
> Sent: Wednesday, September 07, 2005 5:04 PM
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
> AD & SQL...
>
>
> Looks like we have plenty of ideas and opinions ;)
>
> ISA is a great way to deal with this, but I believe the decision was made to
> put the SP machine in the DMZ regardless of the technical merit or
> viability. And whether or not it is a good idea. That said, ISA doesn't
> offer much if you put it AND this machine in a semi-trusted network (for
> whatever that means these days.)
>
> Shame there's no leeway though. The downside to using IPSec is that as
> others have pointed out, it won't work on member server DC for W2K
> servers (limitation of the OS) but will for 2K3 member servers but that
> still leaves you with a secure channel from the DMZ host to your internal
> network. That means you can't monitor the traffic from the DMZ to your
> internal network because it's encrypted (sounds like a broken record, I
> know.)
>
> Too bad you can't sway the decision makers to do this differently. But
> hopefully you've received a lot of ideas to pick from.
>
> Best of luck,
> Al
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
> Sent: Wed 9/7/2005 7:40 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
> AD & SQL...
>
>
>
> I agree with Phil - I think using an ISA (or other reverse proxy solution)
> is the best way to go given your constraints.
>
>
>
> Using a reverse proxy solution allows you the following:
>
> 1. Keep you Sharepoint server behind the firewall, yet make it accessible to
> external clients as if it was in the DMZ.
> 2. Restrict your [additional] holes through the firewall to only that needed
> by the reverse proxy solution to interact with the Sharepoint server (port
> 80).
>
>
>
> BTW - this scenario is becoming extremely common. The next common addition
> you will see to this will likely be the use of ADFS to provide an identity
> trust bridge between the internal forest and a partner forest (or other
> identity system).
>
>
>
> Regards,
>
>
>
> Aric Bernard
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
> Sent: Wednesday, September 07, 2005 9:20 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
> AD & SQL...
>
>
>
> I would look at putting the Sharepoint server on the internal network and
> deploy an ISA server in the DMZ and use Web Publishing or Server Publishing
> to get your external clients access to the site. If you want to open access
> from the DMZ to your AD Forest your firewall will be swiss cheese from all
> the ports than need to be open.
>
>
>
> If you absolutely HAVE to then I would prefer to look at using IPSec for
> communication between the Sharepoint box and your DC's. That leaves you only
> needing the IPSec port open and not the very large number of ports to
> support AD communication.
>
>
>
> http://support.microsoft.com/kb/q179442/
>
>
> Phil
>
>
> On 9/7/05, Jason B wrote:
>
> Because this will be a sharepoint server for clients. Regardless, that
> decision has already been made and I don't have any input into it.
> Any info on the ports I'd need open?
>
> ----- Original Message -----
> From: "ASB"
> To: >
> Sent: Wednesday, September 07, 2005 8:45 AM
> Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
> AD & SQL...
>
>
> Why did you decide to put it in the DMZ?
>
> -ASB
>
> On 9/7/05, Jason B wrote:
> > We are putting a MS sharepoint server in the DMZ and need to have it on
> > the
> > domain and communicating with a SQL server on the domain. Because of
> > these
> > needs, we only want to open the minimum number of ports to get
> > functionality. We have LDAP (389) opened and SQL (1433) opened. What
> > other
> > ports will we need to open to be able to log in on the sharepoint server
> > with a domain account? Currently, with only these two ports opened, a
> > domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000928
Posts:0
| | 09/09/2005 9:19 AM |
| Good luck, Jason. :)
-ASB
On 9/8/05, Jason B wrote:
> Al, Brian and others - thanks!
>
> I wasn't involved in the original plan for setting this extranet up, but
> overheard talk about it and didn't like the plans everyone else was making
> for my AD infrastructure. So I jumped into the fray after all the decisions
> had been made and hardware/software purchased, but better late than never.
> Originally, they wanted it set up with the SP server in the DMZ and ports
> opened to the LAN to "make it work" talking to SQL and AD. The plan had
> them putting extranet users and clients in our internal AD domain and giving
> non-technical employees the ability to add/remove clients from an OU. Bad
> mojo.
>
> I was able to convince them to allow me to set up the SP server as a DC in a
> new forest so as to avoid putting the extranet users in our AD domain. That
> was the "easy" part. Another SQL license is definitely not in the budget,
> so that was an easy decision. Now, I am going to try to convince them to
> move the SP server into the LAN side, close the ports from the DMZ to LAN
> and throw ISA server in the DMZ to serve up the extranet clients. I think I
> can get them to go for it with some doom and gloom scenarios.
>
> Again, thanks for the suggestions and advice.
>
> --Jason
>
> ----- Original Message -----
> From: "Brian Desmond"
> To:
> Sent: Thursday, September 08, 2005 3:14 PM
> Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with
> AD & SQL...
>
>
> >I am, perhaps unfortunately, quite familiar with Sharepoint.
> >
> > Your sharepoint server like any other member server can be a member of one
> > domain. If your extranet users are in a domain trusted by the server's
> > domain or another domain in the forest, you can just service them with
> > multiple portals. You can have up to I think its 50 portals per frontend.
> > Of
> > course, I don't really recommend having your extranet accounts in your
> > corp
> > forest...
> >
> > I used to have my sharepoint environment sitting in a "DMZ" subnet. It was
> > hell dealing with the spaghetti mess of ports on the checkpoints. Now we
> > have this special subnet that the WAN people call the AD Load Balanced
> > subnet. It's a class C that sits on the Cisco CSM and SSM modules in a
> > couple of 6509s. The subnet hangs off a PIX FWSM vlan interface, and they
> > have all the ports for domain joined machines open from that subnet to the
> > DCs. It's actually pretty easy. The Windows folks gave the WAN folks a
> > comprehensive list of ports that need to be open for AD, a/v, mgmt, etc,
> > and
> > they made PIX and Checkpoint rules for that subnet. Now when we need to
> > load
> > balance anything domain joined, the servers just go in this subnet, they
> > setup the CSMs, and then the firewall people just have to add additional
> > special rules (like connecting to SQL, for example).
> >
> >
> > Thanks,
> > Brian Desmond
> > brian@xxxxxxxxxxxxxxxx
> >
> > c - 312.731.3132
> >
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
> > Sent: Thursday, September 08, 2005 4:37 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> > with
> > AD & SQL...
> >
> > This has been a GREAT discussion and I have received a lot of useful info.
> > I really appreciate the replies, suggestions, slams and help. I think I
> > am
> > going to revisit trying to have the sharepoint server moved to the LAN and
> > see if I can't convince the powers that be to apportion an ISA license and
> > hardware appropriate for running ISA to put on the DMZ. We already have a
> > sharepoint server on the LAN... I am not too familiar with sharepoint,
> > but
> > I wonder if the existing sharepoint server can handle both the internal
> > and
> > external users... That's a question for another group, I guess.
> >
> > Anyway, I gathered quite a bit from the posts and discussion, but what are
> > the main specific and concrete points that I am going to want to bring up
> > to
> >
> > dissuade them from having the sharepoint server on the DMZ? My expertiese
> > isn't in the hardware/networking aspect of configuration, but I know
> > enough
> > that I am not comfortable opening all the ports for AD auth from the DMZ
> > to
> > the LAN. Our network admin didn't think that it was a big deal to open
> > the
> > ports since it was "only on the DMZ" and he could control the traffic that
> > was allowed to the DMZ.
> >
> >
> > ----- Original Message -----
> > From: "Al Mulnick"
> > To:
> > Sent: Wednesday, September 07, 2005 5:04 PM
> > Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> > with
> > AD & SQL...
> >
> >
> > Looks like we have plenty of ideas and opinions ;)
> >
> > ISA is a great way to deal with this, but I believe the decision was made
> > to
> >
> > put the SP machine in the DMZ regardless of the technical merit or
> > viability. And whether or not it is a good idea. That said, ISA doesn't
> > offer much if you put it AND this machine in a semi-trusted network (for
> > whatever that means these days.)
> >
> > Shame there's no leeway though. The downside to using IPSec is that as
> > others have pointed out, it won't work on member server DC for W2K
> > servers (limitation of the OS) but will for 2K3 member servers but that
> > still leaves you with a secure channel from the DMZ host to your internal
> > network. That means you can't monitor the traffic from the DMZ to your
> > internal network because it's encrypted (sounds like a broken record, I
> > know.)
> >
> > Too bad you can't sway the decision makers to do this differently. But
> > hopefully you've received a lot of ideas to pick from.
> >
> > Best of luck,
> > Al
> >
> >
> >
> > ________________________________
> >
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
> > Sent: Wed 9/7/2005 7:40 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate
> > with
> > AD & SQL...
> >
> >
> >
> > I agree with Phil - I think using an ISA (or other reverse proxy solution)
> > is the best way to go given your constraints.
> >
> >
> >
> > Using a reverse proxy solution allows you the following:
> >
> > 1. Keep you Sharepoint server behind the firewall, yet make it accessible
> > to
> >
> > external clients as if it was in the DMZ.
> > 2. Restrict your [additional] holes through the firewall to only that
> > needed
> >
> > by the reverse proxy solution to interact with the Sharepoint server (port
> > 80).
> >
> >
> >
> > BTW - this scenario is becoming extremely common. The next common
> > addition
> > you will see to this will likely be the use of ADFS to provide an identity
> > trust bridge between the internal forest and a partner forest (or other
> > identity system).
> >
> >
> >
> > Regards,
> >
> >
> >
> > Aric Bernard
> >
> >
> >
> > ________________________________
> >
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
> > Sent: Wednesday, September 07, 2005 9:20 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> > with
> > AD & SQL...
> >
> >
> >
> > I would look at putting the Sharepoint server on the internal network and
> > deploy an ISA server in the DMZ and use Web Publishing or Server
> > Publishing
> > to get your external clients access to the site. If you want to open
> > access
> > from the DMZ to your AD Forest your firewall will be swiss cheese from all
> > the ports than need to be open.
> >
> >
> >
> > If you absolutely HAVE to then I would prefer to look at using IPSec for
> > communication between the Sharepoint box and your DC's. That leaves you
> > only
> >
> > needing the IPSec port open and not the very large number of ports to
> > support AD communication.
> >
> >
> >
> > http://support.microsoft.com/kb/q179442/
> >
> >
> > Phil
> >
> >
> > On 9/7/05, Jason B wrote:
> >
> > Because this will be a sharepoint server for clients. Regardless, that
> > decision has already been made and I don't have any input into it.
> > Any info on the ports I'd need open?
> >
> > ----- Original Message -----
> > From: "ASB"
> > To: >
> > Sent: Wednesday, September 07, 2005 8:45 AM
> > Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
> > with
> > AD & SQL...
> >
> >
> > Why did you decide to put it in the DMZ?
> >
> > -ASB
> >
> > On 9/7/05, Jason B wrote:
> >> We are putting a MS sharepoint server in the DMZ and need to have it on
> >> the
> >> domain and communicating with a SQL server on the domain. Because of
> >> these
> >> needs, we only want to open the minimum number of ports to get
> >> functionality. We have LDAP (389) opened and SQL (1433) opened. What
> >> other
> >> ports will we need to open to be able to log in on the sharepoint server
> >> with a domain account? Currently, with only these two ports opened, a
> >> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Alm@xxxx.yyy
| | 09/10/2005 2:44 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
Sent: Sat 9/10/2005 1:40 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
I say tomato... Is there really such a thing as a trusted network? We should all probably be thinking no since such a large number of malicious attacks come from within.
Regardless, the more layers you have in place the harder it is - err- should be to penetrate the internal network.
Your point is well taken, yet there is a trade off between security, cost, and usability. The balance is different for each organization.
In Jason's case it sounds like he has got enough work ahead of him just getting funding for an ISA server let alone a secondary or tertiary DMZ/semi-trusted network/extranet/callitwhatyouwill layered network.
Aric
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Roger Seielstad
Sent: Friday, September 09, 2005 8:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Again to clarify, the ISA server often (but not always) resides in the semi-trusted network while the SharePoint server should always reside on a fully-trusted network.
Actually - you really should look at that differently. It should read:
ISA server should reside in the semi-trusted network while the SharePoint server should reside on a more trusted network.
Many people seem to think they should only have 3 classes of networks - Untrusted (i.e. the big I), Semi-trusted (DMZ) and fully trusted (internal). I think its fairly trivial and significantly safer to layer services like this, mail relays, and other servers which make outbound calls to the 'Net into what I would describe as an internal DMZ. Yes, its more trusted, but you can still ACL off and obscure the internal workings of your network.
--------
Roger Seielstad
E-mail Geek
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernard, Aric
Sent: Wednesday, September 07, 2005 5:26 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
I should make sure I was clear - in no way did I encourage the placement of ISA AND the SharePoint server onto the semi-trusted (DMZ) network. Again to clarify, the ISA server often (but not always) resides in the semi-trusted network while the SharePoint server should always reside on a fully-trusted network. The key benefit here is that the only required configuration through the firewall to the internal network is the web ports (i.e. 80, 443) necessary to allow proper communication between the ISA server and the SharePoint server. If the ISA server were compromised, however unlikely, the only path through the firewall to the internal network would be via the web ports to the SharePoint server.
Another problem with the IPSec solution is that if your SharePoint server in the DMZ is compromised (it is running IIS ;-) the IPSec path it has through to the internal network will be compromised as well. Of course this will then allow a potential hacker to ride the IPSec tunnel straight to all of the systems/ports (i.e. 88, 123, 389, 3268, 3269, and [god forbid] 135 and 445) you have configured the SharePoint server to communicate with on the internal LAN. BTW I think you can configure IPSec to work between clients/member servers and DCs so long as the correct exceptions are in place or as long as you use certificates (which would be the best approach if using it in the DMZ).
BTW, Jason, never say never. With enough good arguments and still meeting the stated requirements you can certainly change people's opinions...
Aric
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Wednesday, September 07, 2005 5:05 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
Looks like we have plenty of ideas and opinions ;)
ISA is a great way to deal with this, but I believe the decision was made to put the SP machine in the DMZ regardless of the technical merit or viability. And whether or not it is a good idea. That said, ISA doesn't offer much if you put it AND this machine in a semi-trusted network (for whatever that means these days.)
Shame there's no leeway though. The downside to using IPSec is that as others have pointed out, it won't work on member server DC for W2K servers (limitation of the OS) but will for 2K3 member servers but that still leaves you with a secure channel from the DMZ host to your internal network. That means you can't monitor the traffic from the DMZ to your internal network because it's encrypted (sounds like a broken record, I know.)
Too bad you can't sway the decision makers to do this differently. But hopefully you've received a lot of ideas to pick from.
Best of luck,
Al
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
Sent: Wed 9/7/2005 7:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
I agree with Phil - I think using an ISA (or other reverse proxy solution) is the best way to go given your constraints.
Using a reverse proxy solution allows you the following:
1. Keep you Sharepoint server behind the firewall, yet make it accessible to external clients as if it was in the DMZ.
2. Restrict your [additional] holes through the firewall to only that needed by the reverse proxy solution to interact with the Sharepoint server (port 80).
BTW - this scenario is becoming extremely common. The next common addition you will see to this will likely be the use of ADFS to provide an identity trust bridge between the internal forest and a partner forest (or other identity system).
Regards,
Aric Bernard
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, September 07, 2005 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to get your external clients access to the site. If you want to open access from the DMZ to your AD Forest your firewall will be swiss cheese from all the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's. That leaves you only needing the IPSec port open and not the very large number of ports to support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B wrote:
Because this will be a sharepoint server for clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To: >
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433) opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| AD00000900
Posts:0
| | 09/10/2005 3:29 AM |
| Last time I checked, you needed about 12-14 ports open to authenticate
against a domain.
It would make significantly more sense to put a proxy outside your firewall
and keep sharepoint inside.
--------
Roger Seielstad
E-mail Geek
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jason B
Sent: Wednesday, September 07, 2005 8:21 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Which ports to open in the DMZ to communicate with AD &
SQL...
We are putting a MS sharepoint server in the DMZ and need to have it on the
domain and communicating with a SQL server on the domain. Because of these
needs, we only want to open the minimum number of ports to get
functionality. We have LDAP (389) opened and SQL (1433) opened. What other
ports will we need to open to be able to log in on the sharepoint server
with a domain account? Currently, with only these two ports opened, a
domain account can't log on to the sharepoint server in the DMZ.
Any help is MUCH appreciated.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000900
Posts:0
| | 09/10/2005 3:39 AM |
| Again to clarify,
the ISA server often (but not always) resides in the semi-trusted network while
the SharePoint server should always reside on a fully-trusted network.
Actually - you really should look at that differently. It should
read:
ISA
server should reside in the semi-trusted network while the SharePoint server
should reside on a more trusted network.
Many
people seem to think they should only have 3 classes of networks - Untrusted
(i.e. the big I), Semi-trusted (DMZ) and fully trusted (internal). I think its
fairly trivial and significantly safer to layer services like this, mail relays,
and other servers which make outbound calls to the 'Net into what I would
describe as an internal DMZ. Yes, its more trusted, but you can still ACL off
and obscure the internal workings of your network.
--------Roger SeielstadE-mail Geek
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernard,
AricSent: Wednesday, September 07, 2005 5:26 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Which ports to
open in the DMZ to communicate with AD & SQL...
I should make sure I
was clear “ in no way did I encourage the placement of ISA AND the SharePoint
server onto the semi-trusted (DMZ) network. Again to clarify, the ISA server
often (but not always) resides in the semi-trusted network while the SharePoint
server should always reside on a fully-trusted network. The key benefit
here is that the only required configuration through the firewall to the
internal network is the web ports (i.e. 80, 443) necessary to allow proper
communication between the ISA server and the SharePoint server. If the ISA
server were compromised, however unlikely, the only path through the firewall to
the internal network would be via the web ports to the SharePoint server.
Another problem with
the IPSec solution is that if your SharePoint server in the DMZ is compromised
(it is running IIS ;-) the IPSec path it has through to the internal network
will be compromised as well. Of course this will then allow a potential
hacker to ride the IPSec tunnel straight to all of the systems/ports (i.e. 88,
123, 389, 3268, 3269, and [god forbid] 135 and 445) you have configured the
SharePoint server to communicate with on the internal LAN. BTW I think you
can configure IPSec to work between clients/member servers and DCs so long as
the correct exceptions are in place or as long as you use certificates (which
would be the best approach if using it in the DMZ).
BTW, Jason, never say
never. With enough good arguments and still meeting the stated
requirements you can certainly change people™s
opinions¦
Aric
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Al
MulnickSent: Wednesday,
September 07, 2005 5:05 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Which ports to
open in the DMZ to communicate with AD &
SQL...
Looks like we have
plenty of ideas and opinions ;)
ISA is a great way to deal with
this, but I believe the decision was made to put the SP machine in the DMZ
regardless of the technical merit or viability. And whether or not it is a good
idea. That said, ISA doesn't offer much if you put it AND this machine in
a semi-trusted network (for whatever that means these days.)
Shame there's no leeway
though. The downside to using IPSec is that as others have pointed out, it
won't work on member server DC for W2K servers (limitation of the
OS) but will for 2K3 member servers but that still leaves you with a secure
channel from the DMZ host to your internal network. That means you can't
monitor the traffic from the DMZ to your internal network because it's encrypted
(sounds like a broken record, I know.)
Too bad you can't sway the decision
makers to do this differently. But hopefully you've received a lot of ideas to
pick from.
Best of
luck,
Al
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, AricSent: Wed 9/7/2005 7:40 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Which ports to
open in the DMZ to communicate with AD &
SQL...
I agree with Phil “ I
think using an ISA (or other reverse proxy solution) is the best way to go given
your constraints.
Using a reverse proxy
solution allows you the following:
Keep you Sharepoint server behind
the firewall, yet make it accessible to external clients as if it was in the
DMZ.
Restrict your [additional] holes
through the firewall to only that needed by the reverse proxy solution to
interact with the Sharepoint server (port 80).
BTW - this scenario is
becoming extremely common. The next common addition you will see to this
will likely be the use of ADFS to provide an identity trust bridge between the
internal forest and a partner forest (or other identity
system).
Regards,
Aric
Bernard
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Phil
RenoufSent: Wednesday,
September 07, 2005 9:20 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Which ports to
open in the DMZ to communicate with AD &
SQL...
I would look at putting the Sharepoint server on the
internal network and deploy an ISA server in the DMZ and use Web Publishing or
Server Publishing to get your external clients access to the site. If you want
to open access from the DMZ to your AD Forest
your firewall will be swiss cheese from all the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at
using IPSec for communication between the Sharepoint box and your DC's. That
leaves you only needing the IPSec port open and not the very large number of
ports to support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B boulware_jason@xxxxxxxxxxx>
wrote:
Because this will be a sharepoint server for
clients. Regardless, thatdecision has already been made and I
don't have any input into it. Any info on the ports I'd need
open?----- Original Message -----From: "ASB" abaker@xxxxxxxxx>To:
ActiveDir@xxxxxxxxxxxxxxxxxx>Sent: Wednesday, September 07, 2005 8:45
AMSubject: Re: [ActiveDir] Which ports to open in the DMZ to communicate
withAD & SQL...Why did you decide to put it in the DMZ?
-ASBOn 9/7/05, Jason B boulware_jason@xxxxxxxxxxx>
wrote:> We are putting a MS sharepoint server in the DMZ and need to have
it on> the> domain and communicating with a SQL server on the
domain. Because of> these> needs, we only want to open
the minimum number of ports to get> functionality. We have
LDAP (389) opened and SQL (1433) opened. What > other>
ports will we need to open to be able to log in on the sharepoint server>
with a domain account? Currently, with only these two ports opened,
a> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspxList
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| aricbernard
Posts:4
| | 09/10/2005 5:43 AM |
| I say tomato¦ Is there really such a
thing as a trusted network? We should all probably be thinking no since
such a large number of malicious attacks come from within.
Regardless, the more layers you have in
place the harder it is “ err- should be to penetrate the internal
network.
Your point is well taken, yet there is a
trade off between security, cost, and usability. The balance is different
for each organization.
In Jason™s case it sounds like he
has got enough work ahead of him just getting funding for an ISA server let
alone a secondary or tertiary DMZ/semi-trusted network/extranet/callitwhatyouwill
layered network.
Aric
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Roger Seielstad
Sent: Friday, September 09, 2005
8:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
Again to clarify, the ISA server often
(but not always) resides in the semi-trusted network while the SharePoint
server should always reside on a fully-trusted network.
Actually - you really should look at that
differently. It should read:
ISA server should reside in the
semi-trusted network while the SharePoint server should reside on a more
trusted network.
Many people seem to think they should
only have 3 classes of networks - Untrusted (i.e. the big I), Semi-trusted
(DMZ) and fully trusted (internal). I think its fairly trivial and
significantly safer to layer services like this, mail relays, and other servers
which make outbound calls to the 'Net into what I would describe as an internal
DMZ. Yes, its more trusted, but you can still ACL off and obscure the internal
workings of your network.
--------
Roger Seielstad
E-mail Geek
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bernard, Aric
Sent: Wednesday, September 07,
2005 5:26 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
I should make sure I was clear “ in
no way did I encourage the placement of ISA AND the SharePoint server onto the
semi-trusted (DMZ) network. Again to clarify, the ISA server often (but not
always) resides in the semi-trusted network while the SharePoint server should
always reside on a fully-trusted network. The key benefit here is that the
only required configuration through the firewall to the internal network is the
web ports (i.e. 80, 443) necessary to allow proper communication between the
ISA server and the SharePoint server. If the ISA server were compromised,
however unlikely, the only path through the firewall to the internal network
would be via the web ports to the SharePoint server.
Another problem with the IPSec solution is
that if your SharePoint server in the DMZ is compromised (it is running IIS ;-)
the IPSec path it has through to the internal network will be compromised as
well. Of course this will then allow a potential hacker to ride the IPSec
tunnel straight to all of the systems/ports (i.e. 88, 123, 389, 3268, 3269, and
[god forbid] 135 and 445) you have configured the SharePoint server to
communicate with on the internal LAN. BTW I think you can configure IPSec
to work between clients/member servers and DCs so long as the correct
exceptions are in place or as long as you use certificates (which would be the
best approach if using it in the DMZ).
BTW, Jason, never say never. With
enough good arguments and still meeting the stated requirements you can
certainly change people™s opinions¦
Aric
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Wednesday, September 07,
2005 5:05 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
Looks like we have plenty of ideas and
opinions ;)
ISA is a great way to deal with this, but I believe the
decision was made to put the SP machine in the DMZ regardless of the technical
merit or viability. And whether or not it is a good idea. That said, ISA
doesn't offer much if you put it AND this machine in a semi-trusted network
(for whatever that means these days.)
Shame there's no leeway though. The downside to using
IPSec is that as others have pointed out, it won't work on member server
DC for W2K servers (limitation of the OS) but will for 2K3 member
servers but that still leaves you with a secure channel from the DMZ host to
your internal network. That means you can't monitor the traffic from the
DMZ to your internal network because it's encrypted (sounds like a broken
record, I know.)
Too bad you can't sway the decision makers to do this
differently. But hopefully you've received a lot of ideas to pick from.
Best of luck,
Al
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Bernard, Aric
Sent: Wed 9/7/2005 7:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
I agree with Phil “ I think using an
ISA (or other reverse proxy solution) is the best way to go given your
constraints.
Using a reverse proxy solution allows you
the following:
Keep
you Sharepoint server behind the firewall, yet make it accessible to
external clients as if it was in the DMZ.
Restrict
your [additional] holes through the firewall to only that needed by the
reverse proxy solution to interact with the Sharepoint server (port 80).
BTW - this scenario is becoming extremely
common. The next common addition you will see to this will likely be the
use of ADFS to provide an identity trust bridge between the internal forest and
a partner forest (or other identity system).
Regards,
Aric Bernard
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Phil Renouf
Sent: Wednesday, September 07,
2005 9:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Which
ports to open in the DMZ to communicate with AD & SQL...
I would look at putting the Sharepoint server on the internal network
and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing
to get your external clients access to the site. If you want to open access
from the DMZ to your AD Forest your firewall
will be swiss cheese from all the ports than need to be open.
If you absolutely HAVE to then I would prefer to look at using IPSec
for communication between the Sharepoint box and your DC's. That leaves you
only needing the IPSec port open and not the very large number of ports to
support AD communication.
http://support.microsoft.com/kb/q179442/
Phil
On 9/7/05, Jason B
wrote:
Because this will be a sharepoint server for
clients. Regardless, that
decision has already been made and I don't have any input into it.
Any info on the ports I'd need open?
----- Original Message -----
From: "ASB"
To:
Sent: Wednesday, September 07, 2005 8:45 AM
Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with
AD & SQL...
Why did you decide to put it in the DMZ?
-ASB
On 9/7/05, Jason B
wrote:
> We are putting a MS sharepoint server in the DMZ and need to have it on
> the
> domain and communicating with a SQL server on the
domain. Because of
> these
> needs, we only want to open the minimum number of ports to get
> functionality. We have LDAP (389) opened and SQL (1433)
opened. What
> other
> ports will we need to open to be able to log in on the sharepoint server
> with a domain account? Currently, with only these two ports
opened, a
> domain account can't log on to the sharepoint server in the DMZ.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|