authentication LDAP IN DMZ

Question

HI ALL , I have a new UTM SG310 
 I have 1 server FTP and WEB installed in IIS in DMZ 
 and I have server AD active directory 2012 r2 
 I want the user member of domain can connected to FTP server with authentication LDAP in internal and external what solution or rule to created ? 
 This is the first time when using the Sophos product our old appliance is cyberoam 
 please help me. thank you

Adel Hamdi pacha · Accepted Answer

HI all , Thanks to you all I have to search on Internet I found several solutions like the RODC in the DMZ and ADFS also, I will choose the most secure solution is to Separate the FTP server from the DMZ and put it in the local Used the user portal, vpn SSL client Join UTM to the domain and authentication through the UTM and DC. This is the best solution I think. Thanks to all

DouglasFoster · Answer

If you use ldap authentication from dmz servers to domain controller, you only need to open one port, 389 for cleartext or 636 for TLS encrytion (preferred but requires a trusted certificate). This also means that the dmz servers do not need to ne joined to tbe domain. 
 Remember that ftp is unencrypted, so you should not solicit login credentials or transfer senditove data unless the protocol is sftp or anofher secure protocol.