Re: Securing Communication Between Domain Members and their Domain Controllers
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: Thu, 27 May 2004 01:21:53 GMT
Authentication traffic of course is already protected via kerberos. You may want to
look into using an ipsec tunnel into a gateway computer or ipsec endpoint device or
setting up a rras server and then using lt2p for the connection into your network for
the computers from the dmz being l2tp clients. If you use rras you can use Remote
Access Policy with input/output filters to manager what traffic goes where. Ideally
you would want to use certificates instead of preshared key for machine
authentication. It is not hard to configure a CA on your network for such. --- Steve
"Stuart Coney" <NOSPAM_StueyC_News@msn.com> wrote in message
> Hello all,
> I have been searching (and searching) the Microsoft site for information on
> "Securing Communication Between Domain Members and their Domain
> We are looking at a migration from an NT4 domain plus a large number of DMZ
> (perimeter in MS Speak) located stand alone servers. The idea is to
> integrte them into a single secure Active Directory Domain.
> The DC's for the domain will be located in a secured network seperate from
> both the DMZ and internal network environments and access will be controlled
> through firewalls. As all servers in the domain are located at location
> all DC's will be located in the secure network, therefore all DC replication
> will occur in the secure netwrok.
> The forest containing this domain will be seperate from the corporate
> The problem
> We want to secure communication between the member servers in the DMZ with
> the DC's. My original thought of IPSec has been ruled out due to specific
> information on the MS site "Using IPSec to help secure traffic between
> domain members (either clients or servers) and their domain controllers is
> not recommended"...due to increased latency in authentication, increased DC
> load and complexity of ipsec management etc.
> My next thought was whether we could use LDAP SSL and configure the DC's and
> member servers to communicate this way, looking through the MS tech. support
> I have found several documents relating to configuring LDAP SSL between DC's
> for replication but none for general secure connections between member
> servers and DC's.
> Can anybody advise for the above scenario the best practice for securing
> communication between the member servers and domain controllers?
> much appreciated