Firewall Wizards mailing list archives

Re: NTLM authentication from DMZ

From: Jan van Rensburg <jan.van.rensburg () epiuse com>
Date: Wed, 18 Sep 2002 10:27:07 +0200

A related question I've sometimes wondered about, is where is the bestplace to put a company's Exchange server. Let us assume that theExchange server is part of the normal company domain, so that you onlyhave one authentication database to deal with. The second assumption isthat people will access their Exchange mail remotely from the Internet.Now the obvious answer to this is a VPN, but lets assume that this isnot possible.


The two options left is:

1. Place the exchange server in the DMZ, but that would require a wholelot of ports open between the LAN and DMZ for the authentication towork.2. Place it on the LAN, but that would require opening ports from theInternet to your LAN.


Which of the two is worse? Any other (non VPN) alternatives?

Jan van Rensburg

On Tuesday, Sep 17, 2002, at 13:36 Africa/Johannesburg, Volker Tangerwrote:

Greetings!

miha () nil si wrote:
I am trying to set up a WebSweeper proxy in the DMZ, and enable NTLM
authentication on it. Since it is not server in the domain, I guess it
needs to communicate with a DC, so it can Authenticate the users asthey
request pages form the proxy.
You need to make the WebSweeper a member of the WinNT-Domain in theLAN. For this you need NBT (nbname / nbsession) plus probably MS-RPCsfor SAM sync (not sure on the latter) in both directions. As DMSprobably is a separate (non-broadcast) network you'll need a WINSserver in the LAN.
Basically having NTLM auth from DMZ is not such a good idea. Betterplace an MS-Proxy/ISA in your LAN for authentication and cascade thisto the (then unauthenticated) WebSweeper in the DMZ. This way you canleave the DMZ machine (more or less) completely separated.
Bye

Volker Tanger
IT-Security Consulting

--
discon gmbh
Wrangelstraße 100
D-10997 Berlin

fon    +49 30 6104-3307
fax    +49 30 6104-3461

volker.tanger () discon de
http://www.discon.de/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

NTLM authentication from DMZ miha (Sep 17)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
  - Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
    - RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
    - RE: NTLM authentication from DMZ Frank Knobbe (Sep 19)
    - RE: NTLM authentication from DMZ Ben Nagy (Sep 20)
    - RE: NTLM authentication from DMZ Frank Knobbe (Sep 20)
    - Re: NTLM authentication from DMZ Mikael Olsson (Sep 20)
  - RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
- <Possible follow-ups>
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ Dawes, Rogan (ZA - Johannesburg) (Sep 20)
  - RE: NTLM authentication from DMZ Bill Royds (Sep 21)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)

(Thread continues...)