Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
2
Replies

AD Authenication through PIX

dohogue
Level 1
Level 1

‎09-23-2008 07:53 AM - edited ‎03-11-2019 06:48 AM

I currently have servers in DMZ3 that allow SSL VPN connection to them. The SSL authenication is to the DMZ only.

I want to allow AD authenication from DMZ3 to AD directory domain that is located in the inside network.

What ports need to be open to allow this to happen? I have read that this type of authenication is a security nightmare because of the number of ports that must be open for this to work correctly. There is no domain controller on DMZ3 so the AD authenication traffic must pass to the inside network.

Another complication is that there are over 100 domain controllers that could answer the authenication request located on several different networks.

Any ideas?

Thanks

Labels:
0 Helpful
2 Replies 2

Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-24-2008 02:54 AM

if it is comlex like this

allow the communication from the dmz servers to the AD subnet in the inside

0 Helpful

cisco24x7
Level 6
Level 6
In response to Marwan ALshawi

‎09-24-2008 06:04 AM

"allow the communication from the dmz servers to the AD subnet in the inside"

That is really POOR advice. If servers in the

DMZ are compromised, then hackers will be able

to access everything on the AD subnet in the

inside network.

The objective is to get this thing working

while minimizing the security risks. This

can be done by limiting the dynamic DCOM

ports that AD uses. It will involve modifying

windows registries. If you're familiar

with Passive FTP, you get the idea.

That way you will minimize the security risks

to your Corporate network if DMZ Servers are

somehow compromised, your "inside" network

is still protected.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card