Windows domain access from DMZ

Answered Question

I have a web server in a DMZ. We can access web pages on the web server from the internal net and the web server can see a database server on the internal side. The web server can ping the DC, but windows authentication does not work. I need to be able to browse files on the web server in the DMZ. I added the web server to the domain prior to putting it in the DMZ.


access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.240.0 172.31.4.0 255.255.255.0


access-list DMZ_outbound extended permit ip host 172.31.4.127 host 10.4.0.12 (IP of DC)


Is there something else i need to add so that the web server in the DMZ can authenticat to the DC?


Thanks, Bill

Correct Answer by qbakies11 about 8 years 10 months ago

Just FYI, it is considered poor design to try and have a domain member server in a DMZ. There are several holes you have to open directly to your DCs which can be seen as a security risk.


You can accomplish being able to access files on the DMZ webserver from the internal network without joining the domain. I have the same setup and just created a local user on the webserver that we use to open the folders.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
froggy3132000 Thu, 06/12/2008 - 07:11
User Badges:
  • Bronze, 100 points or more

Post


sh run nat

sh run global

sh run static

Correct Answer
qbakies11 Thu, 06/12/2008 - 08:14
User Badges:

Just FYI, it is considered poor design to try and have a domain member server in a DMZ. There are several holes you have to open directly to your DCs which can be seen as a security risk.


You can accomplish being able to access files on the DMZ webserver from the internal network without joining the domain. I have the same setup and just created a local user on the webserver that we use to open the folders.


Actions

This Discussion