Questions on a perimeter network.


C

cxk69

I have created a separate forest in a perimeter network and am
trying to work out a few things. The DMZ forest consists of an empty
root DC (let's say DC1), a separate domain DC (DC2), plus two member
servers (MS1,MS2) for a total of four. All WIN2003R2 (2003 Mode).

The plan is to create a one way trust from the DMZ into our network and
a few questions have come up I am having a hard time answering.

As I said I plan on creating a one-way External Trust from DC2 to our
internal network (W2K Native).

Would DC1 (forest root) be involved in this communication through the
firewall?
My guess is no that all communication with DC1 would happen only
within the DMZ.

Who would initiate communication between DC2 and the internal network
in a one-way trust?
My guess is DC2 but I am thinking we may not be able to create a
firewall rule for this and will just need to keep the ports open both
ways.

And last of all, can I force DC2 to a specific DC in our internal
network? It was thought that this might be more secure. I am certain
this can be done but am having trouble locating any info on it.


Thanks for any insight, it is hard for me to find this type of detail
on Microsoft's site.

P.S. My email above is not checked, it's for spam.
 
Ad

Advertisements

R

Ryan Hanisco

Hi CXK,

The scenario that you are following is the model scenario for the
Microsoft Federation Services deployment guide. While you can open
ports and create IPSEC tunnels across your firewall for authentication,
you can do this in a much more protected and secure way with Federation
services.

Given the investment you have made in the hardware, you don't appear to
be trying to do this in a haphazard fashion. Have a look at the
planning and deployment guides and they should take you a long way down
that path. (Gartner has a few articles citing this kind of scenario as
a best practice as well.)

Ryan Hanisco
FlagShip Integration Services
 
Ad

Advertisements

C

cxk69

Thanks. We do plan on rolling out ADFS in the future. It is very new to
me and I do need to read up on it more.


- Chris
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top