It seems like most of the info that you find on trying to run AD traffic on an ASA between inside and DMZ hosts is "don't do it!", "its a mess!", "MS AD doesn't play nice!". However there is an article on PeteNetLive, KB0000973 that references DCERPC inspection to accomplish this feat. It doesn't look to terrible. Should I try it or do I follow the most common advice which recommends just using standalone hosts in the DMZ? Are there other options? Thanks
I think the main question to answer is do you want to allow AD traffic from your DMZ back into your internal traffic. not from a technical point of view. i.e. can I make it work. But more from a security perspective; am I willing to allow this traffic.
I know organisations that wont do it, and run separate AD DMZ accounts for their admins that have 0 privileges in the internal segment.
You have a very valid point. However, in our case we have an application that requires access to AD but that compliance auditors have told us needs to be placed on the DMZ. It will take several months to re-write the app so for now moving the app to the DMZ is the only option we have,
Fair enough, so what sort of traffic are you expecting from your dmz server back to your AD environment?
Well there are certain things that I don't need which I think will simply things a bit.
File and Print Services
AD replication (only member servers in DMZ)
I need member servers to behave pretty much as they do when there is no firewall in between them and their DCs like:
Ability to join domain, sync machine account pwd
get IP via DHCP (I think DHCP relay should take care of this)
register hostname with and query DNS on DCs (I think DHCP server takes care of registration but not sure)
sync time with DCs
Query AD for user group membership
Ability to add user/groups from AD to folder security ACLs
Ability to allow local logon using RDP/NLA
Ability for custom apps to authenticate with applications servers on inside network, for instance SQL client on DMZ access SQL DB on inside network
The list looks long but I think the hard part is getting RPC based stuff to work thru the firewall. I hope that is where DCERPC comes in! The other stuff is standard ports like DNS, SNTP, LDAP, Kerberos, etc.