Re: NTLM authentication from DMZ

[Volker Tanger <volker.tanger () discon de>]

Greetings!

miha () nil si wrote:
> I am trying to set up a WebSweeper proxy in the DMZ, and enable NTLM
> authentication on it. Since it is not server in the domain, I guess it
> needs to communicate with a DC, so it can Authenticate the users as they
> request pages form the proxy.

You need to make the WebSweeper a member of the WinNT-Domain in the LAN. 
For this you need NBT (nbname / nbsession) plus probably MS-RPCs for SAM 
sync (not sure on the latter) in both directions. As DMS probably is a 
separate (non-broadcast) network you'll need a WINS server in the LAN.

Basically having NTLM auth from DMZ is not such a good idea. Better 
place an MS-Proxy/ISA in your LAN for authentication and cascade this to 
the (then unauthenticated) WebSweeper in the DMZ. This way you can leave 
the DMZ machine (more or less) completely separated.

Bye

Volker Tanger
IT-Security Consulting

--
discon gmbh
Wrangelstraße 100
D-10997 Berlin

fon    +49 30 6104-3307
fax    +49 30 6104-3461

volker.tanger () discon de
http://www.discon.de/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards