Re: [fw-wiz] NTLM authentication from DMZ

From: Jan van Rensburg (jan.van.rensburg@epiuse.com)
Date: 09/18/02 

From: Jan van Rensburg <jan.van.rensburg@epiuse.com>
To: firewall-wizards@honor.icsalabs.com
Date: Wed Sep 18 08:00:02 2002

A related question I've sometimes wondered about, is where is the best
place to put a company's Exchange server. Let us assume that the
Exchange server is part of the normal company domain, so that you only
have one authentication database to deal with. The second assumption is
that people will access their Exchange mail remotely from the Internet.
Now the obvious answer to this is a VPN, but lets assume that this is
not possible.

The two options left is:
1. Place the exchange server in the DMZ, but that would require a whole
lot of ports open between the LAN and DMZ for the authentication to
work.
2. Place it on the LAN, but that would require opening ports from the
Internet to your LAN.

Which of the two is worse? Any other (non VPN) alternatives?

Jan van Rensburg

On Tuesday, Sep 17, 2002, at 13:36 Africa/Johannesburg, Volker Tanger
wrote:

> Greetings!
>
> miha@nil.si wrote:
>> I am trying to set up a WebSweeper proxy in the DMZ, and enable NTLM
>> authentication on it. Since it is not server in the domain, I guess it
>> needs to communicate with a DC, so it can Authenticate the users as
>> they
>> request pages form the proxy.
>
> You need to make the WebSweeper a member of the WinNT-Domain in the
> LAN. For this you need NBT (nbname / nbsession) plus probably MS-RPCs
> for SAM sync (not sure on the latter) in both directions. As DMS
> probably is a separate (non-broadcast) network you'll need a WINS
> server in the LAN.
>
> Basically having NTLM auth from DMZ is not such a good idea. Better
> place an MS-Proxy/ISA in your LAN for authentication and cascade this
> to the (then unauthenticated) WebSweeper in the DMZ. This way you can
> leave the DMZ machine (more or less) completely separated.
>
> Bye
>
> Volker Tanger
> IT-Security Consulting
>
> --
> discon gmbh
> Wrangelstraße 100
> D-10997 Berlin
>
> fon +49 30 6104-3307
> fax +49 30 6104-3461
>
> volker.tanger@discon.de
> http://www.discon.de/
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: [SLE] cyrus configuration
    ... >>(I really don't want plaintext passwords unless it's between my LAN and DMZ) ... I have plaintext authentication against my /etc/passwd file. ... email server and since IMAP is only from the LAN it might be OK. ... I'm still not sure how to limit a DMZ service to a LAN subnet only. ...
    (SuSE)
  • Re: OK, Im sold on SBS2003 now
    ... >>> talking about a real DMZ with a different network. ... A web server belongs in the DMZ, not in the LAN. ... > An Exchange server, for a single server, works very nicely in the DMZ ...
    (microsoft.public.windows.server.sbs)
  • RE: [fw-wiz] NTLM authentication from DMZ
    ... The key threat is that someone will hack your IIS box and then sit on it ... gathering valid password pairs for the LAN domain, ... but believe me when I say that once someone has control over the DMZ box ... > place to put a company's Exchange server. ...
    (Firewall-Wizards)
  • Re: More DMZ
    ... Without buying a new exchange server I don't think there is ... you somehow sychronise the DMZ Exchange with another one in the LAN? ... I am about to use the DMZ port on the firewall to add a ... LAN, i.e. not being routed through the DMZ port. ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange Server in DMZ
    ... > do I need to open for the server to participate in the local domain ??? ... DMZ and your LAN, not a good thing imho, if possible, I'd suggest ... do as well) and configuring it to forward mail to the Exchange server ...
    (comp.security.firewalls)