Re: Webserver accessing Active Directory information
From: Toddah (anonymous_at_discussions.microsoft.com)
Date: Thu, 24 Jun 2004 05:25:49 -0700
Thanks, will check for AD groups
>On Wed, 23 Jun 2004 14:44:34 -0700, "Toddah"
>>I have a 3 leg PIX 515 with Inside (full AD), DMZ and
>>outside(internet) interfaces. I have a (workgroup) 2003
>>Server with IIS6 running a website in the DMZ. I have
>>allowed 1433 thru the firewall to talk to the inside SQL
>>server and that works fine. Our programmer has developed
>>an ASP application that needs Active Directory access
>>the Webserver in the DMZ to lookup user information and
>>route request forms based on group membership from forms
>>on the webserver.
>> How insecure is it to allow the ASP apps to access
>>Directory from the DMZ?
>Less secure than not doing it.
>> Is there a secure way to allow this or do I send him
>>to the drawing board?
>Open the ports for the DMZ to LAN only. Not really smart
to put a DC
>in a DMZ though.
>>If allowable what ports would I need to allow from the
>Kinda depends on what part of AD the apps use. I'd run
the app and
>see waht the fireall logs show as requested before just
>somewhat appropriate ports.
>May also want to check in a general security group or an
>group, none of this really involves IIS security.
>>UDP 53 (DNS)
>>UDP 88 (KPassword)
>>UDP 137 (NetBIOS Name)
>>UDP 138 (NetBIOS Datagram)
>>UDP 389 (LDAP)
>>UDP 750 (Kerberos)
>>TCP 53 (DNS)
>>TCP 88 (KPassword)
>>TCP 135 (NetBIOS over TCP)
>>TCP 139 (NetBIOS Session)
>>TCP 389 (LDAP)
>>TCP 445 (CIFS)
>>TCP 636 (LDAP over SSL)
>>TCP 750 (Kerberos)
>>TCP 1026 (Active Directory)
>>TCP 1512 (WINS)
>>TCP 3268 (LDAP Global Catalog)
>>TCP 3269 (LDAP GC over SSL
>>Just trying to make sure I not opening the floodgates to