Windows 2003 SBS - Domain Controller in DMZ

[weweber3]

The situation is this... we have another company that is moving into our new office with us. They have a server that is running an application that needs to be accessed from the outside world as well as from the office (they will be on our network, share IP Addresses, the T1 line but not use our domain or access any servers in our domain). For next couple of weeks they will be using PCAnywhere to access this server and will be moving to (from what I understand) a Terminal Server situation. My biggest concern is the fact that I want an absolutely, no doubt about it "closed door" DMZ. Meaning that servers in the DMZ have zero ability to gain access to the trusted network, this is a very big concern.

With all that said, can the Domain Controller for this company sit in the DMZ and users will still be able to authenticate to the server?

Problems with this, concerns, security?

Thank you in advance!
bweber@xteric.com

 

[weweber3]

I want to allow...
users --> DC in DMZ

I want to deny...
DC in DMZ --> users

I do not want to allow ANYTHING in the DMZ to be able to establish a connection to a machine in the trusted network. But allow machines in the trusted network to establish a connection to machines in the DMZ.

This is supposed to be how a DMZ works, but the Domain Controller throws a wrench in the works.

 

[Claudek]

G'day, I already replied to this, not sure what happened though.
The gist of what I said was to have the other company's server in your DMZ. As it is in the DMZ, there is no reason why it should communicate to the internal network - in fact you could block all incoming communication to your internal network from the DMZ if you havn't done so already.
The Server sitting in the DMZ if set up with RRAS and DHCP should be able to authenticate domain users from outside. This can be done via VPN. You need to open 3 ports (depending on vpn type) approximately in your external router to point all vpn traffic to the server in the dmz.

If your company is using vpn,this needs to be slightly modified as you would have to setup a customised port to be used for vpn for the new company.

Basically,with their server in the DMZ and using VPN, you should be able to get all you need done.




Claudius (What certifications??)

http://www.iteq.com.au

 

[weweber3]

I would actually want to authenticate users from the INSIDE, I do not need to authenticate (login) to the domain from the outside world, although I will explore the VPN option.

__________________________________________________
Trusted Network | DMZ
|
|
PC-----login to domain---->| Domain Controller
__________________________________________________

Would this work?

 

[Claudek]

Actually if you have a firewall between your internal network and DMZ, you just need to specify a range of addresses that can send and receive authentication/VPN protocols. This means you need to give the other company, say addresses 200-250 for eg and the firewall only allows these IP addesses to talk to the server in the DMZ. To control this even further for security, you can reserve IP addresses in DHCP for all the machines from the other company and specify to only allow those IP addresses in the firewall to talk to the DMZ.

VPN is a nice option in that it includes authentication and the communication is encrypted in the tunnel. Your firewall takes care of the traffic in terms of who can access each side. Your company traffic in this scenario is not talking in any form to the DMZ.

Claudius (What certifications??)

http://www.iteq.com.au