Security Basics mailing list archives

RE: AD across both DMZ & LAN

From: "Depp, Dennis M." <deppdm () ornl gov>
Date: Tue, 01 Mar 2005 13:03:01 -0500

Leon,

1.  Yes this is possible.  You will want to setup two forests and create
a one way trust between the two forests.  (or between two domains in the
forest.)
2.  While not ideal, I think it is an acceptable approach.  However,
your management will have to decide if the risk is worth the cost
savings.
3.  You should be able to configure loopback processing of GPOs on the
Citrix server.  This will allow you to define a separate user profile
when they log onto the Citrix server.

Denny
 

-----Original Message-----
From: Leon North [mailto:leon_nc () linuxmail org] 
Sent: Tuesday, March 01, 2005 10:20 AM
To: security-basics () securityfocus com
Subject: AD across both DMZ & LAN

Hi,

We currently have an NT4 domain in the DMZ and an unrelated NT4 domain
internally. The DMZ domain contains a server running citrix, and is used
for internet web browsing/email, so that we only have to allow the
citrix connection through the FW to the LAN & no internal users can
directly access the internet from their PC's.

As part of an upgrade to Active Directory (both domains Win2k3), we
would like to get the DMZ to trust the internal domain, so that we only
have one set of user accounts to manage. But I am not sure about a
couple of things with this setup-

1. Will this work like this, so that we only need 1 user account per
user instead of a seperate one externally to internally? (excuse the
vagueness of the question)

2. If so, is that (not ideal I know but) an acceptable approach security
wise, when the DMZ DC can access the accounts on the internal domain?

3. Can we configure it somehow so that the user gets a different profile
when logging in to the DMZ only? I ask that because one potential issue
I see is getting a virus infection into user profile while logged into
the DMZ, then logging into an internal server.

Thanks for any help.

Leon
-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze

Current thread:

AD across both DMZ & LAN Leon North (Mar 01)
- <Possible follow-ups>
- RE: AD across both DMZ & LAN Depp, Dennis M. (Mar 02)
  - Separating authentication and authorization for admins was: RE: AD across both DMZ & LAN Nick Owen (Mar 04)
- RE: AD across both DMZ & LAN Locher Thomas (Mar 02)