Solved: Re: Windows domain access from DMZ

bill_baxter · ‎06-11-2008

I have a web server in a DMZ. We can access web pages on the web server from the internal net and the web server can see a database server on the internal side. The web server can ping the DC, but windows authentication does not work. I need to be able to browse files on the web server in the DMZ. I added the web server to the domain prior to putting it in the DMZ.

access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.240.0 172.31.4.0 255.255.255.0

access-list DMZ_outbound extended permit ip host 172.31.4.127 host 10.4.0.12 (IP of DC)

Is there something else i need to add so that the web server in the DMZ can authenticat to the DC?

Thanks, Bill

qbakies11 · ‎06-12-2008

Just FYI, it is considered poor design to try and have a domain member server in a DMZ. There are several holes you have to open directly to your DCs which can be seen as a security risk.

You can accomplish being able to access files on the DMZ webserver from the internal network without joining the domain. I have the same setup and just created a local user on the webserver that we use to open the folders.

View solution in original post

froggy3132000 · ‎06-12-2008

Post

sh run nat

sh run global

sh run static

bill_baxter · ‎06-12-2008

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

static (DMZ,outside) tcp x.x.x.x www 172.31.4.127 www netmask 255.255.255.255

qbakies11 · ‎06-12-2008

Just FYI, it is considered poor design to try and have a domain member server in a DMZ. There are several holes you have to open directly to your DCs which can be seen as a security risk.

You can accomplish being able to access files on the DMZ webserver from the internal network without joining the domain. I have the same setup and just created a local user on the webserver that we use to open the folders.

bill_baxter · ‎06-12-2008

Thanks! I removed from the Domain, created a local user, and now all is good.