Windows domain access from DMZ

Answered Question

I have a web server in a DMZ. We can access web pages on the web server from the internal net and the web server can see a database server on the internal side. The web server can ping the DC, but windows authentication does not work. I need to be able to browse files on the web server in the DMZ. I added the web server to the domain prior to putting it in the DMZ.

access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.240.0 172.31.4.0 255.255.255.0

access-list DMZ_outbound extended permit ip host 172.31.4.127 host 10.4.0.12 (IP of DC)

Is there something else i need to add so that the web server in the DMZ can authenticat to the DC?

Thanks, Bill

I have this problem too.
0 votes
Correct Answer by qbakies11 about 8 years 6 months ago

Just FYI, it is considered poor design to try and have a domain member server in a DMZ. There are several holes you have to open directly to your DCs which can be seen as a security risk.

You can accomplish being able to access files on the DMZ webserver from the internal network without joining the domain. I have the same setup and just created a local user on the webserver that we use to open the folders.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
qbakies11 Thu, 06/12/2008 - 08:14

Just FYI, it is considered poor design to try and have a domain member server in a DMZ. There are several holes you have to open directly to your DCs which can be seen as a security risk.

You can accomplish being able to access files on the DMZ webserver from the internal network without joining the domain. I have the same setup and just created a local user on the webserver that we use to open the folders.

Actions

This Discussion