Firewall Wizards mailing list archives
RE: NTLM authentication from DMZ
From: "Ben Nagy" <ben () iagu net>
Date: Thu, 19 Sep 2002 08:59:16 +0200
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Volker Tanger Sent: Tuesday, September 17, 2002 1:37 PM To: miha () nil si; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] NTLM authentication from DMZ Greetings! miha () nil si wrote:I am trying to set up a WebSweeper proxy in the DMZ, andenable NTLMauthentication on it. Since it is not server in the domain,I guess itneeds to communicate with a DC, so it can Authenticate the users as they request pages form the proxy.You need to make the WebSweeper a member of the WinNT-Domain in the LAN. For this you need NBT (nbname / nbsession) plus probably MS-RPCs for SAM sync (not sure on the latter) in both directions. As DMS probably is a separate (non-broadcast) network you'll need a WINS server in the LAN.
You probably wouldn't want to do it that way. If you must have NTLM auth from this box then you would set it up in a different domain with a one-way trust relationship. When I passed my exam I used to know which way those durn things went, but I think that the DMZ domain wants to trust the LAN domain but not vice-versa. Now you just do your permissions by allowing LANDOMAIN\Username. AFAIK you can get away without MS-RPC (135 tcp) but you will need 137 and 138 udp (NBT) but not 139, I suspect. You don't need to do name resolution or browsing at all, so don't worry about the WINS server. I'd probably just put the IP address of the LAN DC in an LMHOSTS file and avoid the whole browsing/broadcast mess altogether.
Basically having NTLM auth from DMZ is not such a good idea. Better place an MS-Proxy/ISA in your LAN for authentication and cascade this to the (then unauthenticated) WebSweeper in the DMZ. This way you can leave the DMZ machine (more or less) completely separated.
I completely agree with this paragraph, though. It's not a good idea, and you would be better off not passing auth traffic back and forth from your DMZ. The security implications are icky.
Bye Volker Tanger IT-Security Consulting
Cheers, -- Ben Nagy Network Security Specialist Mb: +41792504687 PGP Key ID: 0x1A86E304 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NTLM authentication from DMZ miha (Sep 17)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
- Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
- RE: NTLM authentication from DMZ Ben Nagy (Sep 19)
- RE: NTLM authentication from DMZ Frank Knobbe (Sep 19)
- RE: NTLM authentication from DMZ Ben Nagy (Sep 20)
- RE: NTLM authentication from DMZ Frank Knobbe (Sep 20)
- Re: NTLM authentication from DMZ Jan van Rensburg (Sep 18)
- Re: NTLM authentication from DMZ Volker Tanger (Sep 17)
- Re: NTLM authentication from DMZ Mikael Olsson (Sep 20)
- <Possible follow-ups>
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ Dawes, Rogan (ZA - Johannesburg) (Sep 20)
- RE: NTLM authentication from DMZ Bill Royds (Sep 21)
- RE: NTLM authentication from DMZ Noonan, Wesley (Sep 20)
- RE: NTLM authentication from DMZ manatworkyes moderator (Sep 22)
- RE: NTLM authentication from DMZ Reckhard, Tobias (Sep 23)
- RE: NTLM authentication from DMZ Peter Robinson (Sep 23)
- RE: NTLM authentication from DMZ Steffen Kluge (Sep 25)
- RE: NTLM authentication from DMZ Paul D. Robertson (Sep 25)
- RE: NTLM authentication from DMZ Steffen Kluge (Sep 26)