Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 12990 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

authentication LDAP IN DMZ

Adel Hamdi pacha

HI ALL , I have a new UTM  SG310

 I have 1 server FTP and WEB   installed in IIS  in DMZ

 and  I have  server AD active directory  2012 r2

I want the user member of domain can connected to FTP server  with  authentication LDAP in internal  and external  what solution or rule to created ?

This is the first time when using the Sophos product our old appliance is cyberoam

please help me. thank you



This thread was automatically locked due to age.
  • 0

    Unless you want to be really tight with your rules, I would allow all traffic to flow FROM your DC to your host on the DMZ.

    Now coming back the way, this would be where you tighten the rules and only allow that host to contact the DC on certain ports (see below) for authentication etc

    • UDP Port 88 for Kerberos authentication
    • UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
    • TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
    • UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
    • TCP and UDP Port 445 for File Replication Service
    • TCP and UDP Port 464 for Kerberos Password Change
    • TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
    • TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

    Opening above ports in Firewall between client computers and domain controllers, or between domain controllers, will enable Active Directory to function properly.

    You can also specify ephemeral ports to tighten it slightly further if required

    Personally and if possible, I would shy away from having any AD connected servers/clients in the DMZ but I do understand that sometimes this isn't possible.

  • 0 in reply to Louis-M

    hello Louis-M , Thank you for your reply,
    I will try to test this solution,
    I have no choice regarding client / server method, we have users who connect to FTP from their home and sometimes they are on mission they are part of the domain.
    Thank you.

  • 0

    If you use ldap authentication from dmz servers to domain controller, you only need to open one port, 389 for cleartext or 636 for TLS encrytion (preferred but requires a trusted certificate).  This also means that the dmz servers do not need to ne joined to tbe domain.

    Remember that ftp is unencrypted,  so you should not solicit login credentials or transfer senditove data unless the protocol is sftp or anofher secure protocol.

  • 0 in reply to DouglasFoster

    The other problem with authenticated remote access is that there a lot of smart bad guys who are busy doing password-guessing attacks.   You really need to have 2-factor authentication for remote access.   It is definitely required by PCI DSS for anyone who takes credit/debit cards.   You can implement 2-factor with UTM using either WAF (Webserver Protection) or SSL VPN in front o of your DMZ servers.   WAF, of course, would require converting your file share from ftp to https.

  • +1 in reply to DouglasFoster

    HI all , Thanks to you all I have to search on Internet I found several solutions like the RODC in the DMZ and ADFS also, I will choose the most secure solution is to Separate the FTP server from the DMZ and put it in the local
    Used the user portal, vpn SSL client
    Join UTM to the domain and authentication through the UTM and DC. This is the best solution I think.
    Thanks to all

Unfiltered HTML