Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Highlighted
Community Member

Microsoft AD traffic thru ASA

It seems like most of the info that you find on trying to run AD traffic on an ASA between inside and DMZ hosts is "don't do it!", "its a mess!", "MS AD doesn't play nice!".  However there is an article on PeteNetLive, KB0000973 that references DCERPC inspection to accomplish this feat.  It doesn't look to terrible.  Should I try it or do I follow the most common advice which recommends just using standalone hosts in the DMZ?  Are there other options?  Thanks

5 REPLIES
VIP Green

Re: Microsoft AD traffic thru ASA

I think the main question to answer is do you want to allow AD traffic from your DMZ back into your internal traffic. not from a technical point of view. i.e. can I make it work. But more from a security perspective; am I willing to allow this traffic.

 

I know organisations that wont do it, and run separate AD DMZ accounts for their admins that have 0 privileges in the internal segment.

Please remember to rate useful posts, by clicking on the stars below.

Community Member

Re: Microsoft AD traffic thru ASA

You have a very valid point.  However, in our case we have an application that requires access to AD but that compliance auditors have told us needs to be placed on the DMZ.  It will take several months to re-write the app so for now moving the app to the DMZ is the only option we have,

VIP Green

Re: Microsoft AD traffic thru ASA

Fair enough, so what sort of traffic are you expecting from your dmz server back to your AD environment?

Please remember to rate useful posts, by clicking on the stars below.

Community Member

Re: Microsoft AD traffic thru ASA

Well there are certain things that I don't need which I think will simply things a bit.

 

Not Needed:

File and Print Services

AD replication (only member servers in DMZ)

 

Needed:

I need member servers to behave pretty much as they do when there is no firewall in between them and their DCs like:

Ability to join domain, sync machine account pwd

get IP via DHCP (I think DHCP relay should take care of this)

register hostname with and query DNS on DCs (I think DHCP server takes care of registration but not sure)

sync time with DCs

Query AD for user group membership

Ability to add user/groups from AD to folder security ACLs

Ability to allow local logon using RDP/NLA

Ability for custom apps to authenticate with applications servers on inside network, for instance SQL client on DMZ access SQL DB on inside network

 

The list looks long but I think the hard part is getting RPC based stuff to work thru the firewall.  I hope that is where DCERPC comes in!  The other stuff is standard ports like DNS, SNTP, LDAP, Kerberos, etc.  

 

Thanks,

Diego

VIP Green

Re: Microsoft AD traffic thru ASA

open up 389 for LDAP and 445 for smb

Please remember to rate useful posts, by clicking on the stars below.

147
Views
15
Helpful
5
Replies
CreatePlease to create content