cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Firewalls

177
Views
15
Helpful
5
Replies
Highlighted
Enthusiast

Microsoft AD traffic thru ASA

It seems like most of the info that you find on trying to run AD traffic on an ASA between inside and DMZ hosts is "don't do it!", "its a mess!", "MS AD doesn't play nice!".  However there is an article on PeteNetLive, KB0000973 that references DCERPC inspection to accomplish this feat.  It doesn't look to terrible.  Should I try it or do I follow the most common advice which recommends just using standalone hosts in the DMZ?  Are there other options?  Thanks

5 REPLIES
VIP Advocate

Re: Microsoft AD traffic thru ASA

I think the main question to answer is do you want to allow AD traffic from your DMZ back into your internal traffic. not from a technical point of view. i.e. can I make it work. But more from a security perspective; am I willing to allow this traffic.

 

I know organisations that wont do it, and run separate AD DMZ accounts for their admins that have 0 privileges in the internal segment.

Please remember to rate useful posts, by clicking on the stars below.

Enthusiast

Re: Microsoft AD traffic thru ASA

You have a very valid point.  However, in our case we have an application that requires access to AD but that compliance auditors have told us needs to be placed on the DMZ.  It will take several months to re-write the app so for now moving the app to the DMZ is the only option we have,

VIP Advocate

Re: Microsoft AD traffic thru ASA

Fair enough, so what sort of traffic are you expecting from your dmz server back to your AD environment?

Please remember to rate useful posts, by clicking on the stars below.

Enthusiast

Re: Microsoft AD traffic thru ASA

Well there are certain things that I don't need which I think will simply things a bit.

 

Not Needed:

File and Print Services

AD replication (only member servers in DMZ)

 

Needed:

I need member servers to behave pretty much as they do when there is no firewall in between them and their DCs like:

Ability to join domain, sync machine account pwd

get IP via DHCP (I think DHCP relay should take care of this)

register hostname with and query DNS on DCs (I think DHCP server takes care of registration but not sure)

sync time with DCs

Query AD for user group membership

Ability to add user/groups from AD to folder security ACLs

Ability to allow local logon using RDP/NLA

Ability for custom apps to authenticate with applications servers on inside network, for instance SQL client on DMZ access SQL DB on inside network

 

The list looks long but I think the hard part is getting RPC based stuff to work thru the firewall.  I hope that is where DCERPC comes in!  The other stuff is standard ports like DNS, SNTP, LDAP, Kerberos, etc.  

 

Thanks,

Diego

VIP Advocate

Re: Microsoft AD traffic thru ASA

open up 389 for LDAP and 445 for smb

Please remember to rate useful posts, by clicking on the stars below.

CreatePlease to create content
Ask the Expert- Webex Hybrid Services Solutions