• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Need to join domain on web server at DMZ

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Need to join domain on web server at DMZ Page: [1]
Login
Message << Older Topic   Newer Topic >>
Need to join domain on web server at DMZ - 16.Mar.2010 10:10:08 PM   
reybean

 

Posts: 8
Joined: 2.Mar.2010
Status: offline 		hello,

I would like to try on configuring Web Server on perimeter network to join domain in my internal network.


DMZ network - 172.16.0.0 255.255.255.0

Internal network - 10.0.0.0 255.255.255.0

External network - 192.168.1.0 255.255.255.0


Internal and External network is working fine.

Web-Server DMZ's ip address is 172.16.0.2 and gateway is 172.16.0.1 (isa dmz nic) and Dns point to internal which 10.0.0.2


DC-Server is my domain controller and also DNS which IP address is 10.0.0.2


My Problem: I cannot join domain the web-server DMZ to DC-Server


please help me.
Post #: 1
RE: Need to join domain on web server at DMZ - 17.Mar.2010 7:38:15 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline 		Don't be silly.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to reybean)
Post #: 2
RE: Need to join domain on web server at DMZ - 17.Mar.2010 8:43:17 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: reybean

hello,

I would like to try on configuring Web Server on perimeter network to join domain in my internal network.


DMZ network - 172.16.0.0 255.255.255.0

Internal network - 10.0.0.0 255.255.255.0

External network - 192.168.1.0 255.255.255.0


Internal and External network is working fine.

Web-Server DMZ's ip address is 172.16.0.2 and gateway is 172.16.0.1 (isa dmz nic) and Dns point to internal which 10.0.0.2


DC-Server is my domain controller and also DNS which IP address is 10.0.0.2


My Problem: I cannot join domain the web-server DMZ to DC-Server


please help me.


Is this an ISA DMZ?

Are you pre-authenticating access to the Web server using ISA?

This may be worth a look if the above answers are YES:

http://www.isaserver.org/articles/2004multidmzp1.html

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to reybean)
Post #: 3
RE: Need to join domain on web server at DMZ - 17.Mar.2010 4:47:16 PM   
pwindell

 

Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		I kinda like the "don't be silly" answer myself   :-)

_____________________________

Phillip Windell

(in reply to Jason Jones)
Post #: 4
RE: Need to join domain on web server at DMZ - 17.Mar.2010 7:01:55 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		That's becuase you boys don't know your layer 7 DMZ's from your elbows

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to pwindell)
Post #: 5
RE: Need to join domain on web server at DMZ - 17.Mar.2010 9:10:23 PM   
reybean

 

Posts: 8
Joined: 2.Mar.2010
Status: offline 		to stevemoffat,
"Don't be silly".... what do you mean? We are learning here.....

(in reply to Jason Jones)
Post #: 6
RE: Need to join domain on web server at DMZ - 18.Mar.2010 8:43:54 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline 		Put it in the domain, not a DMZ......

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to reybean)
Post #: 7
RE: Need to join domain on web server at DMZ - 18.Mar.2010 9:10:58 AM   
pwindell

 

Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		That's becuase you boys don't know your layer 7 DMZ's from your elbows

Oh,...now,...Jason....

"Don't be silly".... what do you mean? We are learning here.....

By the time you allow what you need for the thing to be a Domain Member from the DMZ,...you hardly have any DMZ left,...you've just already allowed all the important stuff that the DMZ is trying to prevent in the first place.

_____________________________

Phillip Windell

(in reply to Jason Jones)
Post #: 8
RE: Need to join domain on web server at DMZ - 18.Mar.2010 9:21:37 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		Sorry, you know I like a bit of fun

Depends on your definition of DMZ; hence why perimeter network is a better name. To me, you have trusted and untrusted perimeter networks as they just represent different security zones for different services.

Domain members in a 'trusted perimeter' network is fine by me, assuming you protect this network with something that understands the application protocols involved and add host protection too...being able to pre-auth connections and use web publishing with ISA is a good example of when a perimeter network becomes "more trusted"...YMMV and probably does

Cheers

JJ 

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to pwindell)
Post #: 9
RE: Need to join domain on web server at DMZ - 18.Mar.2010 11:21:50 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline 		In a pivot attack, if the attacker gets remote code execution on that server at an "adequate level", for example, it can easily ARP mitm your "domain traffic"(whatever "domain" means) without the perimeter in place, unless your switches are smart enough and configured appropriatelly or some other anti-ARP mitm measures are in place.
With the perimeter in place, it may need to use a double pivot attack to get where it wants to, and even so it may not get where it wants. As Jason said, YMMV...

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jason Jones)
Post #: 10
RE: Need to join domain on web server at DMZ - 18.Mar.2010 9:02:53 PM   
aliyanisabrey

 

Posts: 99
Joined: 12.Feb.2009
Status: offline 		Jason,

we have a 2 DMZ. one is for server that in workgroup such as web server and another DMZ is for server that in a domain member such as Frontend exchange.

for me, I also feel like my web server in workgroup is less secure.

do I have to move to DMZ which is in a domain member.

_____________________________

Aliyani Sabrey

MCSE+Security, MCSA+Security, ISA Server 2004 & 2006

(in reply to adimcev)
Post #: 11
RE: Need to join domain on web server at DMZ - 19.Mar.2010 4:40:43 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		No, a model using two different types of DMZs is good IMHO. Not all DMZ members need to be domain members; with both types of DMZs you then have a choice of which to use...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to aliyanisabrey)
Post #: 12
RE: Need to join domain on web server at DMZ - 19.Mar.2010 7:01:08 AM   
aliyanisabrey

 

Posts: 99
Joined: 12.Feb.2009
Status: offline 		ooo..ok.. that's much helpful explanation.. thanks..

(in reply to Jason Jones)
Post #: 13
RE: Need to join domain on web server at DMZ - 19.Mar.2010 8:38:37 AM   
reybean

 

Posts: 8
Joined: 2.Mar.2010
Status: offline 		thanks for all of your reply...

anyone knows how to join domain my server (webserver) which is at DMZ?

if you have any tutorials to do this, please let me know..


thanks..

(in reply to reybean)
Post #: 14
RE: Need to join domain on web server at DMZ - 20.Mar.2010 4:18:17 AM   
aliyanisabrey

 

Posts: 99
Joined: 12.Feb.2009
Status: offline 		reybean,

you need to read a lot of articles in this website. here is the article for intradomain.

http://www.isaserver.org/articles/2004perimeterdomain.html

_____________________________

Aliyani Sabrey

MCSE+Security, MCSA+Security, ISA Server 2004 & 2006

(in reply to reybean)
Post #: 15

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Need to join domain on web server at DMZ Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts