Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
15
Helpful
5
Replies

Microsoft AD traffic thru ASA

tato386
Level 6
Level 6

‎06-13-2018 02:10 PM - edited ‎02-21-2020 07:52 AM

It seems like most of the info that you find on trying to run AD traffic on an ASA between inside and DMZ hosts is "don't do it!", "its a mess!", "MS AD doesn't play nice!".  However there is an article on PeteNetLive, KB0000973 that references DCERPC inspection to accomplish this feat.  It doesn't look to terrible.  Should I try it or do I follow the most common advice which recommends just using standalone hosts in the DMZ?  Are there other options?  Thanks

Labels:
0 Helpful
5 Replies 5

Dennis Mink
VIP Alumni
VIP Alumni

‎06-13-2018 07:05 PM - edited ‎06-13-2018 07:06 PM

I think the main question to answer is do you want to allow AD traffic from your DMZ back into your internal traffic. not from a technical point of view. i.e. can I make it work. But more from a security perspective; am I willing to allow this traffic.

 

I know organisations that wont do it, and run separate AD DMZ accounts for their admins that have 0 privileges in the internal segment.

Please remember to rate useful posts, by clicking on the stars below.

tato386
Level 6
Level 6
In response to Dennis Mink

‎06-14-2018 05:35 AM

You have a very valid point.  However, in our case we have an application that requires access to AD but that compliance auditors have told us needs to be placed on the DMZ.  It will take several months to re-write the app so for now moving the app to the DMZ is the only option we have,

Dennis Mink
VIP Alumni
VIP Alumni
In response to tato386

‎06-14-2018 07:02 AM

Fair enough, so what sort of traffic are you expecting from your dmz server back to your AD environment?

Please remember to rate useful posts, by clicking on the stars below.

tato386
Level 6
Level 6
In response to Dennis Mink

‎06-14-2018 08:59 AM

Well there are certain things that I don't need which I think will simply things a bit.

 

Not Needed:

File and Print Services

AD replication (only member servers in DMZ)

 

Needed:

I need member servers to behave pretty much as they do when there is no firewall in between them and their DCs like:

Ability to join domain, sync machine account pwd

get IP via DHCP (I think DHCP relay should take care of this)

register hostname with and query DNS on DCs (I think DHCP server takes care of registration but not sure)

sync time with DCs

Query AD for user group membership

Ability to add user/groups from AD to folder security ACLs

Ability to allow local logon using RDP/NLA

Ability for custom apps to authenticate with applications servers on inside network, for instance SQL client on DMZ access SQL DB on inside network

 

The list looks long but I think the hard part is getting RPC based stuff to work thru the firewall.  I hope that is where DCERPC comes in!  The other stuff is standard ports like DNS, SNTP, LDAP, Kerberos, etc.  

 

Thanks,

Diego

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to tato386

‎06-14-2018 04:02 PM

open up 389 for LDAP and 445 for smb

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card