Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Server in DMZ joing to Domain

Status
Not open for further replies.
fzx5v0

fzx5v0

IS-IT--Management
Jan 13, 2003
79
GB
Hi
I have a server in the DMZ and i have these firewall ports to open to join it to the domain. Can you advise if the traffic has to go in both directions so do open the port server to ad controller and ad controller to server

thanks


DNS (53/tcp and 53/udp)
Kerberos-Adm (UDP) (749/udp)
Kerberos-Sec (TCP) (88/tcp)
Kerberos-Sec (UDP) (88/udp)
LDAP (389/tcp)
LDAP UDP (389/udp)
LDAP GC (Global Catalog) (3268/tcp)
Microsoft CIFS (TCP) (445/tcp)
Microsoft CIFS (UDP) (445/udp)
NTP (UDP) (123/udp)
PING (ICMP Type 8)
RPC Endpoint Mapper (135/tcp)
RPC Dynamic Ports (5000-5100/tcp)




Easyinkz Printer cartridges
 
Sort by date Sort by votes
There are so many ports that have to be opened for Kerberos and authentication, having the server on the DMZ is worthless.

The whole point of the DMZ is having those public facing services you need your Internet users to access available, but protect your private LAN from access or attack should their be a breach on that DMZ'd machine.

With your scenario, should they gain access to your server in the DMZ, they now have access to your private LAN anyway, so just put your server on your private LAN and make it easy on yourself (not really recommending this, just stressing a point).

What application or scenario are you running into that dictates having this server joined to your domain?
 
Upvote 0 Downvote
If the ports are opened correctly and in the right direction only then they won't have access to your LAN. Though I wouldn't put a DC in the same DMZ as a web or ftp server also ensure that AV software is up to date and install an IPS system as well.

-------------------------------

If it doesn't leak oil it must be empty!!
 
Upvote 0 Downvote
What's the purpose of putting a domain joined maching in the DMZ? If it's for some web application, your approach should be to put the app server in your production network and publish it through something like TMG or ISA.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
Hi
The server is for ISA and to use the advance fetures like certificate base authentication it has to be a domain member

thanks

Easyinkz Printer cartridges
 
Upvote 0 Downvote
The isa box should have 2 nic's one in the dmz and one in internal.

The external nic only has listeners on it for http/s traffic so the rules are pretty straight forward.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
286
Aquiles Vidal
Aquiles Vidal
MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
230
MaioMaio
MaioMaio
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
402
goombawaho
goombawaho
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
508
gbaughma
gbaughma
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
237
antonio_dsanchez
antonio_dsanchez

Part and Inventory Search

Sponsor

Back
Top