| Author |
Message |
Justified Geek
Guest
|
 Posted:
Tue Jan 25, 2005 12:47 am Post subject:
Ports to open for a one-way trust |
|
|
We are configured in a three tier network.
The first tier is the demilitarized zone (or DMZ), where machines from the
internet can access the resources. (This is commonly referred to as the
exposed network.)
The second tier (behind a firewall) is the “private net”, which contains
resources available to the servers in the DMZ network, but the resources are
not directly available to machines on the internet. Data which resides here,
or is available through here, would have to be presented by the servers in
the DMZ to machines on the internet.
The third tier (behind another firewall) is the subnets in our corporate
intranet. Machines in the first tier or on the internet are not allowed to
initiate connections through this firewall, and only specific ports are
available from specific machines on the second tier to initiate connections.
The machines on the first and second tiers currently use local
authentication. The machines on the corporate intranet authenticate to a
native Windows 2003 Active Directory domain/forest.
We wish to place a separate Windows 2003 Active Directory domain/forest in
the first and second tiers (with the domain controllers located in the second
tier), and establish a one way trust with our corporate forest. This way
staff authenticated in the corporate domain can be assigned rights to
resources in the new “internet” domain, and we can reduce the administrative
overhead of maintaining local security accounts and rights.
What I need to know is: What is the MINIMUM set of TCP and UDP port
connections which need to be assigned on the firewall as being allowed to be
established from the domain controllers in the second tier “private net”
through the firewall to our corporate intranet domain controllers in order to
establish and use this one way trust? And, can any of those be closed once
the trust is established?
--
Thank you,
GLYASDI,
Paul |
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Tue Jan 25, 2005 1:47 am Post subject:
Re: Ports to open for a one-way trust |
|
|
See the link below to a great article on how to do this. Pay particular
attention to the part on "dynamic" RPC and how to configure it and the
firewall for best security. FYI you may also want to consider using Remote
Desktop to manage the DMZ computers and you will need to only open port 3389
TCP in the firewall or depending on your firewall capabilities you may just
want to create ipsec endpoints to tunnel between the networks. --- Steve
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
"Justified Geek" <JustifiedGeek@discussions.microsoft.com> wrote in message
news:587EBD3D-CCB6-4A7D-996E-BEADB45D930D@microsoft.com...
| Quote: | We are configured in a three tier network.
The first tier is the demilitarized zone (or DMZ), where machines from the
internet can access the resources. (This is commonly referred to as the
exposed network.)
The second tier (behind a firewall) is the "private net", which contains
resources available to the servers in the DMZ network, but the resources
are
not directly available to machines on the internet. Data which resides
here,
or is available through here, would have to be presented by the servers in
the DMZ to machines on the internet.
The third tier (behind another firewall) is the subnets in our corporate
intranet. Machines in the first tier or on the internet are not allowed
to
initiate connections through this firewall, and only specific ports are
available from specific machines on the second tier to initiate
connections.
The machines on the first and second tiers currently use local
authentication. The machines on the corporate intranet authenticate to a
native Windows 2003 Active Directory domain/forest.
We wish to place a separate Windows 2003 Active Directory domain/forest in
the first and second tiers (with the domain controllers located in the
second
tier), and establish a one way trust with our corporate forest. This way
staff authenticated in the corporate domain can be assigned rights to
resources in the new "internet" domain, and we can reduce the
administrative
overhead of maintaining local security accounts and rights.
What I need to know is: What is the MINIMUM set of TCP and UDP port
connections which need to be assigned on the firewall as being allowed to
be
established from the domain controllers in the second tier "private net"
through the firewall to our corporate intranet domain controllers in order
to
establish and use this one way trust? And, can any of those be closed once
the trust is established?
--
Thank you,
GLYASDI,
Paul |
|
|
| Back to top |
|
|
Justified Geek
Guest
|
| Posted:
Tue Jan 25, 2005 4:35 am Post subject:
Re: Ports to open for a one-way trust |
|
|
That was a great article, (I had read it before), but it addressed full blown
replication...
What I'm looking to do is limit the amount of information kept in the
"private net" tier’s domain controllers to a minimum, and provide trusted
Kerberos authentication, without having to unnecessarily constrain (and
complicate) my internal domain controllers' methods of replication.
Look at it as if the DMZ forest were an associate’s domain on an “extranet”,
which wanted to provide us authenticated access to their company’s servers.
I have yet to come across an article on that specific scenario, and it’s
implications in regard to the firewall rules.
Even so, Thank You for the responce, I can see where the information has
relevance.
Paul
"Steven L Umbach" wrote:
| Quote: | See the link below to a great article on how to do this. Pay particular
attention to the part on "dynamic" RPC and how to configure it and the
firewall for best security. FYI you may also want to consider using Remote
Desktop to manage the DMZ computers and you will need to only open port 3389
TCP in the firewall or depending on your firewall capabilities you may just
want to create ipsec endpoints to tunnel between the networks. --- Steve
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
"Justified Geek" <JustifiedGeek@discussions.microsoft.com> wrote in message
news:587EBD3D-CCB6-4A7D-996E-BEADB45D930D@microsoft.com...
We are configured in a three tier network.
The first tier is the demilitarized zone (or DMZ), where machines from the
internet can access the resources. (This is commonly referred to as the
exposed network.)
The second tier (behind a firewall) is the "private net", which contains
resources available to the servers in the DMZ network, but the resources
are
not directly available to machines on the internet. Data which resides
here,
or is available through here, would have to be presented by the servers in
the DMZ to machines on the internet.
The third tier (behind another firewall) is the subnets in our corporate
intranet. Machines in the first tier or on the internet are not allowed
to
initiate connections through this firewall, and only specific ports are
available from specific machines on the second tier to initiate
connections.
The machines on the first and second tiers currently use local
authentication. The machines on the corporate intranet authenticate to a
native Windows 2003 Active Directory domain/forest.
We wish to place a separate Windows 2003 Active Directory domain/forest in
the first and second tiers (with the domain controllers located in the
second
tier), and establish a one way trust with our corporate forest. This way
staff authenticated in the corporate domain can be assigned rights to
resources in the new "internet" domain, and we can reduce the
administrative
overhead of maintaining local security accounts and rights.
What I need to know is: What is the MINIMUM set of TCP and UDP port
connections which need to be assigned on the firewall as being allowed to
be
established from the domain controllers in the second tier "private net"
through the firewall to our corporate intranet domain controllers in order
to
establish and use this one way trust? And, can any of those be closed once
the trust is established?
--
Thank you,
GLYASDI,
Paul
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Jan 25, 2005 6:11 am Post subject:
Re: Ports to open for a one-way trust |
|
|
OK. Based your description of using Windows 2003 domains you probably can
get away with using RPC, CIFS/445 TCP, LDAP, global catalog LDAP, and
kerberos. NTP would only be needed if domains are in the same forest. You
could start with that and then check your firewall logs for dropped traffic
between domains if problems ensue. I forgot to answer your question about
closing the firewall after the trust has been established and the answer to
that is no. --- Steve
"Justified Geek" <JustifiedGeek@discussions.microsoft.com> wrote in message
news:111ED222-81B6-435F-B329-8B1BA25751C3@microsoft.com...
| Quote: | That was a great article, (I had read it before), but it addressed full
blown
replication...
What I'm looking to do is limit the amount of information kept in the
"private net" tier's domain controllers to a minimum, and provide trusted
Kerberos authentication, without having to unnecessarily constrain (and
complicate) my internal domain controllers' methods of replication.
Look at it as if the DMZ forest were an associate's domain on an
"extranet",
which wanted to provide us authenticated access to their company's
servers.
I have yet to come across an article on that specific scenario, and it's
implications in regard to the firewall rules.
Even so, Thank You for the responce, I can see where the information has
relevance.
Paul
"Steven L Umbach" wrote:
See the link below to a great article on how to do this. Pay particular
attention to the part on "dynamic" RPC and how to configure it and the
firewall for best security. FYI you may also want to consider using
Remote
Desktop to manage the DMZ computers and you will need to only open port
3389
TCP in the firewall or depending on your firewall capabilities you may
just
want to create ipsec endpoints to tunnel between the networks. --- Steve
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
"Justified Geek" <JustifiedGeek@discussions.microsoft.com> wrote in
message
news:587EBD3D-CCB6-4A7D-996E-BEADB45D930D@microsoft.com...
We are configured in a three tier network.
The first tier is the demilitarized zone (or DMZ), where machines from
the
internet can access the resources. (This is commonly referred to as the
exposed network.)
The second tier (behind a firewall) is the "private net", which
contains
resources available to the servers in the DMZ network, but the
resources
are
not directly available to machines on the internet. Data which resides
here,
or is available through here, would have to be presented by the servers
in
the DMZ to machines on the internet.
The third tier (behind another firewall) is the subnets in our
corporate
intranet. Machines in the first tier or on the internet are not
allowed
to
initiate connections through this firewall, and only specific ports are
available from specific machines on the second tier to initiate
connections.
The machines on the first and second tiers currently use local
authentication. The machines on the corporate intranet authenticate to
a
native Windows 2003 Active Directory domain/forest.
We wish to place a separate Windows 2003 Active Directory domain/forest
in
the first and second tiers (with the domain controllers located in the
second
tier), and establish a one way trust with our corporate forest. This
way
staff authenticated in the corporate domain can be assigned rights to
resources in the new "internet" domain, and we can reduce the
administrative
overhead of maintaining local security accounts and rights.
What I need to know is: What is the MINIMUM set of TCP and UDP port
connections which need to be assigned on the firewall as being allowed
to
be
established from the domain controllers in the second tier "private
net"
through the firewall to our corporate intranet domain controllers in
order
to
establish and use this one way trust? And, can any of those be closed
once
the trust is established?
--
Thank you,
GLYASDI,
Paul
|
|
|
| Back to top |
|
|
Justified Geek
Guest
|
| Posted:
Wed Jan 26, 2005 12:35 am Post subject:
Re: Ports to open for a one-way trust |
|
|
Thank you Steven, we'll give that a shot.
Paul
P.S. (If anyone has seen a definitive article, from Microsoft or anyone
else, on setting up one way trust through a firewall, I'd love to read it.)
(O.K. Maybe, I'm a bit obsessive, but I searched hard, and if I missed it,
I'd like to figure out why! ;-)
"Steven L Umbach" wrote:
| Quote: | OK. Based your description of using Windows 2003 domains you probably can
get away with using RPC, CIFS/445 TCP, LDAP, global catalog LDAP, and
kerberos. NTP would only be needed if domains are in the same forest. You
could start with that and then check your firewall logs for dropped traffic
between domains if problems ensue. I forgot to answer your question about
closing the firewall after the trust has been established and the answer to
that is no. --- Steve
"Justified Geek" <JustifiedGeek@discussions.microsoft.com> wrote in message
news:111ED222-81B6-435F-B329-8B1BA25751C3@microsoft.com...
That was a great article, (I had read it before), but it addressed full
blown
replication...
What I'm looking to do is limit the amount of information kept in the
"private net" tier's domain controllers to a minimum, and provide trusted
Kerberos authentication, without having to unnecessarily constrain (and
complicate) my internal domain controllers' methods of replication.
Look at it as if the DMZ forest were an associate's domain on an
"extranet",
which wanted to provide us authenticated access to their company's
servers.
I have yet to come across an article on that specific scenario, and it's
implications in regard to the firewall rules.
Even so, Thank You for the responce, I can see where the information has
relevance.
Paul
"Steven L Umbach" wrote:
See the link below to a great article on how to do this. Pay particular
attention to the part on "dynamic" RPC and how to configure it and the
firewall for best security. FYI you may also want to consider using
Remote
Desktop to manage the DMZ computers and you will need to only open port
3389
TCP in the firewall or depending on your firewall capabilities you may
just
want to create ipsec endpoints to tunnel between the networks. --- Steve
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
"Justified Geek" <JustifiedGeek@discussions.microsoft.com> wrote in
message
news:587EBD3D-CCB6-4A7D-996E-BEADB45D930D@microsoft.com...
We are configured in a three tier network.
The first tier is the demilitarized zone (or DMZ), where machines from
the
internet can access the resources. (This is commonly referred to as the
exposed network.)
The second tier (behind a firewall) is the "private net", which
contains
resources available to the servers in the DMZ network, but the
resources
are
not directly available to machines on the internet. Data which resides
here,
or is available through here, would have to be presented by the servers
in
the DMZ to machines on the internet.
The third tier (behind another firewall) is the subnets in our
corporate
intranet. Machines in the first tier or on the internet are not
allowed
to
initiate connections through this firewall, and only specific ports are
available from specific machines on the second tier to initiate
connections.
The machines on the first and second tiers currently use local
authentication. The machines on the corporate intranet authenticate to
a
native Windows 2003 Active Directory domain/forest.
We wish to place a separate Windows 2003 Active Directory domain/forest
in
the first and second tiers (with the domain controllers located in the
second
tier), and establish a one way trust with our corporate forest. This
way
staff authenticated in the corporate domain can be assigned rights to
resources in the new "internet" domain, and we can reduce the
administrative
overhead of maintaining local security accounts and rights.
What I need to know is: What is the MINIMUM set of TCP and UDP port
connections which need to be assigned on the firewall as being allowed
to
be
established from the domain controllers in the second tier "private
net"
through the firewall to our corporate intranet domain controllers in
order
to
establish and use this one way trust? And, can any of those be closed
once
the trust is established?
--
Thank you,
GLYASDI,
Paul
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Wed Jan 26, 2005 1:01 am Post subject:
Re: Ports to open for a one-way trust |
|
|
OK. Here is the Microsoft KB article you request and I think it jives with
what I suggested. Note that since you are not using downlevel trusts, the
netbios/wins related ports should not be needed. It would not matter whether
the trust is one way or two way as far as firewall rules go. Be sure to take
dns name resolution in account between the forests. Conditional forwarding
should work fine between the domains. Good luck. --- Steve
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B179442
"Justified Geek" <JustifiedGeek@discussions.microsoft.com> wrote in message
news:41F0CFA3-476F-4F89-9F38-8F343B81D3EA@microsoft.com...
| Quote: | Thank you Steven, we'll give that a shot.
Paul
P.S. (If anyone has seen a definitive article, from Microsoft or anyone
else, on setting up one way trust through a firewall, I'd love to read
it.)
(O.K. Maybe, I'm a bit obsessive, but I searched hard, and if I missed it,
I'd like to figure out why! ;-)
"Steven L Umbach" wrote:
OK. Based your description of using Windows 2003 domains you probably can
get away with using RPC, CIFS/445 TCP, LDAP, global catalog LDAP, and
kerberos. NTP would only be needed if domains are in the same forest. You
could start with that and then check your firewall logs for dropped
traffic
between domains if problems ensue. I forgot to answer your question about
closing the firewall after the trust has been established and the answer
to
that is no. --- Steve
"Justified Geek" <JustifiedGeek@discussions.microsoft.com> wrote in
message
news:111ED222-81B6-435F-B329-8B1BA25751C3@microsoft.com...
That was a great article, (I had read it before), but it addressed full
blown
replication...
What I'm looking to do is limit the amount of information kept in the
"private net" tier's domain controllers to a minimum, and provide
trusted
Kerberos authentication, without having to unnecessarily constrain (and
complicate) my internal domain controllers' methods of replication.
Look at it as if the DMZ forest were an associate's domain on an
"extranet",
which wanted to provide us authenticated access to their company's
servers.
I have yet to come across an article on that specific scenario, and
it's
implications in regard to the firewall rules.
Even so, Thank You for the responce, I can see where the information
has
relevance.
Paul
"Steven L Umbach" wrote:
See the link below to a great article on how to do this. Pay
particular
attention to the part on "dynamic" RPC and how to configure it and the
firewall for best security. FYI you may also want to consider using
Remote
Desktop to manage the DMZ computers and you will need to only open
port
3389
TCP in the firewall or depending on your firewall capabilities you may
just
want to create ipsec endpoints to tunnel between the networks. ---
Steve
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
"Justified Geek" <JustifiedGeek@discussions.microsoft.com> wrote in
message
news:587EBD3D-CCB6-4A7D-996E-BEADB45D930D@microsoft.com...
We are configured in a three tier network.
The first tier is the demilitarized zone (or DMZ), where machines
from
the
internet can access the resources. (This is commonly referred to as
the
exposed network.)
The second tier (behind a firewall) is the "private net", which
contains
resources available to the servers in the DMZ network, but the
resources
are
not directly available to machines on the internet. Data which
resides
here,
or is available through here, would have to be presented by the
servers
in
the DMZ to machines on the internet.
The third tier (behind another firewall) is the subnets in our
corporate
intranet. Machines in the first tier or on the internet are not
allowed
to
initiate connections through this firewall, and only specific ports
are
available from specific machines on the second tier to initiate
connections.
The machines on the first and second tiers currently use local
authentication. The machines on the corporate intranet authenticate
to
a
native Windows 2003 Active Directory domain/forest.
We wish to place a separate Windows 2003 Active Directory
domain/forest
in
the first and second tiers (with the domain controllers located in
the
second
tier), and establish a one way trust with our corporate forest.
This
way
staff authenticated in the corporate domain can be assigned rights
to
resources in the new "internet" domain, and we can reduce the
administrative
overhead of maintaining local security accounts and rights.
What I need to know is: What is the MINIMUM set of TCP and UDP port
connections which need to be assigned on the firewall as being
allowed
to
be
established from the domain controllers in the second tier "private
net"
through the firewall to our corporate intranet domain controllers in
order
to
establish and use this one way trust? And, can any of those be
closed
once
the trust is established?
--
Thank you,
GLYASDI,
Paul
|
|
|
| Back to top |
|
|
Justified Geek
Guest
|
| Posted:
Wed Jan 26, 2005 3:43 am Post subject:
Re: Ports to open for a one-way trust |
|
|
Perfect! - You're awesome!
Now I've got to circle back and find out why I didn't find it with my search
methods.
(I'm supposed to be a professional at finding IT answers - I am humbled in
your shadow.)
Thanks again!
Paul
"Steven L Umbach" wrote:
| Quote: | OK. Here is the Microsoft KB article you request and I think it jives with
what I suggested. Note that since you are not using downlevel trusts, the
netbios/wins related ports should not be needed. It would not matter whether
the trust is one way or two way as far as firewall rules go. Be sure to take
dns name resolution in account between the forests. Conditional forwarding
should work fine between the domains. Good luck. --- Steve
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B179442
"Justified Geek" <JustifiedGeek@discussions.microsoft.com> wrote in message
news:41F0CFA3-476F-4F89-9F38-8F343B81D3EA@microsoft.com...
Thank you Steven, we'll give that a shot.
Paul
P.S. (If anyone has seen a definitive article, from Microsoft or anyone
else, on setting up one way trust through a firewall, I'd love to read
it.)
(O.K. Maybe, I'm a bit obsessive, but I searched hard, and if I missed it,
I'd like to figure out why! ;-)
"Steven L Umbach" wrote:
OK. Based your description of using Windows 2003 domains you probably can
get away with using RPC, CIFS/445 TCP, LDAP, global catalog LDAP, and
kerberos. NTP would only be needed if domains are in the same forest. You
could start with that and then check your firewall logs for dropped
traffic
between domains if problems ensue. I forgot to answer your question about
closing the firewall after the trust has been established and the answer
to
that is no. --- Steve
"Justified Geek" <JustifiedGeek@discussions.microsoft.com> wrote in
message
news:111ED222-81B6-435F-B329-8B1BA25751C3@microsoft.com...
That was a great article, (I had read it before), but it addressed full
blown
replication...
What I'm looking to do is limit the amount of information kept in the
"private net" tier's domain controllers to a minimum, and provide
trusted
Kerberos authentication, without having to unnecessarily constrain (and
complicate) my internal domain controllers' methods of replication.
Look at it as if the DMZ forest were an associate's domain on an
"extranet",
which wanted to provide us authenticated access to their company's
servers.
I have yet to come across an article on that specific scenario, and
it's
implications in regard to the firewall rules.
Even so, Thank You for the responce, I can see where the information
has
relevance.
Paul
"Steven L Umbach" wrote:
See the link below to a great article on how to do this. Pay
particular
attention to the part on "dynamic" RPC and how to configure it and the
firewall for best security. FYI you may also want to consider using
Remote
Desktop to manage the DMZ computers and you will need to only open
port
3389
TCP in the firewall or depending on your firewall capabilities you may
just
want to create ipsec endpoints to tunnel between the networks. ---
Steve
http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp
"Justified Geek" <JustifiedGeek@discussions.microsoft.com> wrote in
message
news:587EBD3D-CCB6-4A7D-996E-BEADB45D930D@microsoft.com...
We are configured in a three tier network.
The first tier is the demilitarized zone (or DMZ), where machines
from
the
internet can access the resources. (This is commonly referred to as
the
exposed network.)
The second tier (behind a firewall) is the "private net", which
contains
resources available to the servers in the DMZ network, but the
resources
are
not directly available to machines on the internet. Data which
resides
here,
or is available through here, would have to be presented by the
servers
in
the DMZ to machines on the internet.
The third tier (behind another firewall) is the subnets in our
corporate
intranet. Machines in the first tier or on the internet are not
allowed
to
initiate connections through this firewall, and only specific ports
are
available from specific machines on the second tier to initiate
connections.
The machines on the first and second tiers currently use local
authentication. The machines on the corporate intranet authenticate
to
a
native Windows 2003 Active Directory domain/forest.
We wish to place a separate Windows 2003 Active Directory
domain/forest
in
the first and second tiers (with the domain controllers located in
the
second
tier), and establish a one way trust with our corporate forest.
This
way
staff authenticated in the corporate domain can be assigned rights
to
resources in the new "internet" domain, and we can reduce the
administrative
overhead of maintaining local security accounts and rights.
What I need to know is: What is the MINIMUM set of TCP and UDP port
connections which need to be assigned on the firewall as being
allowed
to
be
established from the domain controllers in the second tier "private
net"
through the firewall to our corporate intranet domain controllers in
order
to
establish and use this one way trust? And, can any of those be
closed
once
the trust is established?
--
Thank you,
GLYASDI,
Paul
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in