Firewall Wizards mailing list archives
Re: NTLM authentication from DMZ
From: Jan van Rensburg <jan.van.rensburg () epiuse com>
Date: Wed, 18 Sep 2002 10:27:07 +0200
A related question I've sometimes wondered about, is where is the best place to put a company's Exchange server. Let us assume that the Exchange server is part of the normal company domain, so that you only have one authentication database to deal with. The second assumption is that people will access their Exchange mail remotely from the Internet. Now the obvious answer to this is a VPN, but lets assume that this is not possible.
The two options left is:1. Place the exchange server in the DMZ, but that would require a whole lot of ports open between the LAN and DMZ for the authentication to work. 2. Place it on the LAN, but that would require opening ports from the Internet to your LAN.
Which of the two is worse? Any other (non VPN) alternatives? Jan van RensburgOn Tuesday, Sep 17, 2002, at 13:36 Africa/Johannesburg, Volker Tanger wrote:
Greetings! miha () nil si wrote:I am trying to set up a WebSweeper proxy in the DMZ, and enable NTLM authentication on it. Since it is not server in the domain, I guess itneeds to communicate with a DC, so it can Authenticate the users as theyrequest pages form the proxy.You need to make the WebSweeper a member of the WinNT-Domain in the LAN. For this you need NBT (nbname / nbsession) plus probably MS-RPCs for SAM sync (not sure on the latter) in both directions. As DMS probably is a separate (non-broadcast) network you'll need a WINS server in the LAN.Basically having NTLM auth from DMZ is not such a good idea. Better place an MS-Proxy/ISA in your LAN for authentication and cascade this to the (then unauthenticated) WebSweeper in the DMZ. This way you can leave the DMZ machine (more or less) completely separated.Bye Volker Tanger IT-Security Consulting -- discon gmbh WrangelstraĆe 100 D-10997 Berlin fon +49 30 6104-3307 fax +49 30 6104-3461 volker.tanger () discon de http://www.discon.de/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NTLM authentication from DMZ miha (Sep 17)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
- Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
- RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
- RE: NTLM authentication from DMZ Frank Knobbe (Sep 19)
- RE: NTLM authentication from DMZ Ben Nagy (Sep 20)
- RE: NTLM authentication from DMZ Frank Knobbe (Sep 20)
- Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
- Re: NTLM authentication from DMZ Mikael Olsson (Sep 20)
- <Possible follow-ups>
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ Dawes, Rogan (ZA - Johannesburg) (Sep 20)
- RE: NTLM authentication from DMZ Bill Royds (Sep 21)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)