Search Results

Search found 249 results on 10 pages for 'dmz'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 1/10 | 1 2 3 4 5 6 7 8 9 10  | Next Page >

  • Distinction between an extranet and a DMZ

    - by Markus Yrjölä
    I've been reading about intranets, extranets, DMZs and VPNs now, and I'd need some clarifications related to extranets and DMZs. I understand that they are different types of concepts - extranet allows limited access to some intranet resources, while DMZ is a subnet that sits between the internet and intranet and hosts the external-faced services. However, I'd like to know what is their distinction in practice in a usual setup? The Wikipedia article on extranets says that extranets are similar to DMZs because they are used for the same purpose (providing access to some services/resources without exposing the whole intranet). The article also states that an extranet is a part of a VPN, and this TechNet article also states that extranet access is often implemented similarly to remote intranet access, e.g. with a VPN. The TechNet article also says that commonly the extranet is hosted inside the DMZ. This Pearson article says "Although [the DMZ] is technically located within the intranet, [it] can serve as the extranet as well". This is slightly confusing. Consider this scenario: A company has a B2C website hosted in the DMZ. The website can be accessed from anywhere, but requires user authentication. The underlying web app has its database inside the intranet and also interacts with some web services that are hosted inside the intranet (i.e. it accesses intranet resources). The way I see it, the website does effectively offer a restricted access to the intranet. But can it be considered an extranet? If we take the Wikipedia definition of an extranet literally - "An extranet is a computer network that allows controlled access from outside of an organization's intranet" - I think it can. Let's say that the above can't be considered an extranet. What if we change the scenario slightly, and say it's a B2B website, where the access is e.g. limited to connections coming from a specific business partner (by using site-to-site VPN, for example). In this case it surely is an extranet, right? If this is the case, then the difference between extranet services and any other services hosted in the DMZ is simply access restrictions?

    Read the article

  • Esx servers in a DMZ

    - by James
    I have two ESX 3.5 servers in a DMZ. I can access these servers on any port from my lan via a VPN. Servers in the DMZ are unable to initiate connections back to the lan, for obvious reasons. I have a vCenter server on my lan and can initially connect to the esx servers fine. However the esx servers then try to send a hearth beat back to the vCenter server on udp/902 obviously this will not get back to the vCenter server, which then marks the ESX servers as not responding and disconnects. There are two broad solutions I can think of; 1) Try to tell vCenter to ignore not getting heart beats. The best I can do here is delay the disconnect by 3 mins. 2) Try some clever network solution. However again I am at loss. Note: The vCenter server is on a lan, and cannot be given a public IP, so firewall rules back will not work. And also I cannot setup a VPN from the DMZ to the lan. **I am adding the following, explanation that I added to the comments Ok maybe this is the bit that I not explaining well. The DMZ is on a remote site, an entirely independent network (network 1). The vCenter server is on our office lan (network 2). Network 2 can connect to any machine on any port on network 1. But network 1 is not allowed to initiate a connection to network 2. Any traffic destined to network 2 from network 1 gets dropped by the firewall as it is traffic to a non-routable address. The only solution I can think of is setting up a VPN from network 1 to network 2, but this is not acceptable So any clever folk out there any ideas? J

    Read the article

  • Putting a Windows DC, Exchange in a DMZ

    - by blsub6
    I have one guy at my company telling me that I should put FF:TMG in between my main Internet-facing firewall (Cisco 5510) and put my Exchange server and DC on the internal network. I have another guy telling me that I should put the Exchange server and DC in a DMZ I don't particularly like the idea of having my mailboxes and DC's usernames/passwords in a DMZ and I think that Windows authentication would require me opening up so many ports between my DMZ and my internal network that it would be a moot point to have it out there anyways. What are some thoughts? How do you have it set up?

    Read the article

  • Should a webserver in the DMZ be allowed to access MSSQL in the LAN?

    - by Allen
    This should be a very basic question and I tried to research it and couldn't find a solid answer. Say you have a web server in the DMZ and a MSSQL server in the LAN. IMO, and what I've always assumed to be correct, is that the web server in the DMZ should be able to access the MSSQL server in the LAN (maybe you'd have to open a port in the firewall, that'd be ok IMO). Our networking guys are now telling us that we can't have any access to the MSSQL server in the LAN from the DMZ. They say that anything in the DMZ should only be accessible FROM the LAN (and web), and that the DMZ should not have access TO the LAN, just as the web does not have access to the LAN. So my question is, who is right? Should the DMZ have access to/from the LAN? Or, should access to the LAN from the DMZ be strictly forbidden. All this assumes a typical DMZ configuration.

    Read the article

  • Cisco Multi-DMZ firewall

    - by BParker
    I need to find a firewall that will give me 1 LAN port, and 5-7 DMZ ports. I have a requirement to replace some FreeBSD systems that are used to run some testing equipment. It is essential that the DMZ ports cannot communicate with each other, but the LAN port can communicate with everyone. That way a user on the LAN can connect to the test systems, but the test systems are isolated entirely and cannot interfere with each other. One of the DMZ's will be connected to a VMWare ESXi server, one to a standard server, and the rest to various types of equipment. The lan port will be connected to the corporate LAN switch. Sorry if i am a little vague, I am just trying to work all this out myself! Currently we have a FreeBSD configured, but the quad port NIC's are pretty expensive, and the PC itself is old, so i would prefer to replace it with a dedicate piece of kit which can do the same job, but more reliably! These test rigs are used all over the place, and get moved quite often, so i am aiming for Cisco kit for ease of configuration and reliability of the hardware itself. Thanks

    Read the article

  • Sonicwall NSA 240, Configured for LAN and DMZ, X0 and X2 on same switch - ping issues

    - by Klaptrap
    Our Sonicwall vendor supplied and networked the NSA240 when we required a DMZ in our infrastructure. This was configured and appeared correct although VPN users periodically dropped DNS and Terminal Services. The vendor could not resolve and so the call was escalated to Sonicwall. The Sonicwall support engineer took a look and concluded that the X0 (LAN) and X2 (DMZ) intefaces were cabled to the same switch and so this is the issue. What he observed is a ping request to the LAN Domain Controller, from a connected VPN user, is forwarded (x0) from the VPN client IP to the DC IP but the ping response from the DC IP to the VPN client IP is on X2, a copy of the log is detailed below:- 02/02/2011 10:47:49.272 X1*(hc) X0 192.168.1.245 192.168.1.8 IP ICMP -- FORWARDED 02/02/2011 10:47:49.272 -- X0* 192.168.1.245 192.168.1.8 IP ICMP -- FORWARDED 02/02/2011 10:47:49.272 X2*(i) -- 192.168.1.8 192.168.1.245 IP ICMP -- Received X0 - LAN X1 - WAN X2 - DMZ The Sonicwall engineer concluded that we either need a seperate switch for X2 or we use a VLAN switch for both. I am the companies software engineer and we have yet to have heard back from the vendor, so I am lost at sea at the moment. Do we need to buy this additional equipment or is there another configuration on the NSA240 we can use?

    Read the article

  • i cant ping to my DMZ zone from the local inside PC

    - by Big Denzel
    HI everybody. Can anyone please help me on the following issue. I got a Cisco Asa 5520 configured at my network. I cant ping to my DMZ interface from a local inside network PC. so the only way a ping the DMZ is right from the Cisco ASA firewall, there i can pint to all 3 interfaces, Inside, Outside and DMZ,,,, But no PC from the Inside Network can access the DMZ. Can please any one help? I thank you all in advance Bellow is my Cisco ASA 5520 Firewall show run; ASA-FW# sh run : Saved : ASA Version 7.0(8) ! hostname ASA-FW enable password encrypted passwd encrypted names dns-guard ! interface GigabitEthernet0/0 description "Link-To-GW-Router" nameif outside security-level 0 ip address 41.223.156.109 255.255.255.248 ! interface GigabitEthernet0/1 description "Link-To-Local-LAN" nameif inside security-level 100 ip address 10.1.4.1 255.255.252.0 ! interface GigabitEthernet0/2 description "Link-To-DMZ" nameif dmz security-level 50 ip address 172.16.16.1 255.255.255.0 ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 description "Local-Management-Interface" no nameif no security-level ip address 192.168.192.1 255.255.255.0 ! ftp mode passive access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.107 eq smtp access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.106 eq www access-list OUT-TO-DMZ extended permit icmp any any log access-list OUT-TO-DMZ extended deny ip any any access-list inside extended permit tcp any any eq pop3 access-list inside extended permit tcp any any eq smtp access-list inside extended permit tcp any any eq ssh access-list inside extended permit tcp any any eq telnet access-list inside extended permit tcp any any eq https access-list inside extended permit udp any any eq domain access-list inside extended permit tcp any any eq domain access-list inside extended permit tcp any any eq www access-list inside extended permit ip any any access-list inside extended permit icmp any any access-list dmz extended permit ip any any access-list dmz extended permit icmp any any access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.25 5.0 access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25 2.0 no pager logging enable logging buffer-size 5000 logging monitor warnings logging trap warnings mtu outside 1500 mtu inside 1500 mtu dmz 1500 no failover asdm image disk0:/asdm-508.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (dmz,outside) tcp 41.223.156.106 www 172.16.16.80 www netmask 255.255.255 .255 static (dmz,outside) tcp 41.223.156.107 smtp 172.16.16.25 smtp netmask 255.255.2 55.255 static (inside,dmz) 10.1.0.0 10.1.16.0 netmask 255.255.252.0 access-group OUT-TO-DMZ in interface outside access-group inside in interface inside access-group dmz in interface dmz route outside 0.0.0.0 0.0.0.0 41.223.156.108 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 10.1.4.0 255.255.252.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside ! ! match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global Cryptochecksum: : end ASA-FW# Please Help. Big Denzel

    Read the article

  • FTP in DMZ, TCP Ports for LDAP Auth

    - by sam
    szenario: (outside)---(ASA5510)---(inside) -Windows2008 DC .....................(dmz) ..........-Win2008 FTP Server Which Ports do I need to open from DMZ-Inside that FTP Users can authentificated on the Inside DC? I have allready opend 389 (Ldap), 636 (secure Ldap) and 53 (dns). But the ftp Client stucks allways after processing the credentials and the FTP Server gives you an eventlog "logon error". the error messages indicates that there could be an issue with closed ports. if I turn the ACL to "IP", that means all ports are open, everything is working fine.

    Read the article

  • SSL certs or intermediate for DMZ

    - by rex
    I've been tasked with deploying and managing load balancers covering internal servers and DMZ servers. I have no experience with this, and this is a first for my organization as well. Balancers are up, running, legit. Currently we are using a self-signed cert for Exchange/OWA. I know that we should have a cert signed by a CA, but the balancer has options for SSL cert or intermediate cert, and I'm unclear on the difference, or on which we need. We will be hosting Lync, Exchange and some custom apps in the DMZ. disclaimer: Apologies up front, I'm desktop support. I recently passed my Net+. It seems that has made me the network engineer in this organization.

    Read the article

  • SFTP: How to keep data out of the DMZ

    - by ChronoFish
    We are investigating solutions to the following problem: We have external (Internet) users who need access to sensitive information. We could offer it to them via SFTP which would offer a secure transport method. However, we don't want to maintain the data on server as it would then reside in the DMZ. Is there an SFTP server that has "copy on access" such that if the box in the DMZ were to be compromised, no actual data resided on that box? I am envisioning an SFTP Proxy or SFTP passthrough. Does such a product exist currently?

    Read the article

  • Servers in DMZ will not communicate with each other

    - by Tukaro
    (Full disclosure: I rate barely above "noob" when it comes to networking.) My workplace recent got a new web server. Since we're nearing the end of an overhaul of our website, we're doing a slooooow migration between the old web server and the new one. The old webserver (we'll call it SERVOLD) is Windows Server 2008 with IIS 7. It does not have SQL Server installed. The new server (SERVNEW) is Windows Server 2008 R2, IIS 7.5, with the same version of SQL Server installed. Both are located in the DMZ for our network, and both have their own outward-facing IP address (.3 and .4, respectively). Each server can communicate fine with computers within the domain (not in the DMZ), and those same computers have no trouble communicating with either server. Both servers are also accessible from the internet just fine. However, no matter what, these two servers just refuse to recognize each other. They have the same Workgroup name listed (WORKGROUP), and I thought that would be enough for them to recognize each other. What needs to happen such that I can get these two servers to communicate with each other? We want to do a gradual roll-over to the new website (new one uses ASP.NET, old one uses CFMX), so being able to use one database between both servers is a necessity. Thanks!

    Read the article

  • How to place a virtual machine in DMZ?

    - by Giordano
    I have an Ubuntu 12.04 server running few virtual machines with KVM. I would like to expose some of these virtual machines on the internet, to make it possible for customers to test the products we're developing and make available other products for demo purposes. One of the server NICs is configured with a public IP. However before exposing anything on the web I would like to be sure that if one of the virtual machines get compromised, the attacker doesn't reach the rest of the hosts. What I would like to do is to put these virtual machines into a DMZ. These are the steps I'm planning to do: Create a tap interface in the virtualization host (let's say tap1) Create a bridge using tap1 and give it an IP in a subnet separate from the other hosts. Let's say 10.0.0.1 Attach the DMZ virtual machines to the bridge and configure their IP statically (10.0.0.2, 10.0.0.3, etc...) Using UFW, forbid any traffic from 10.0.0.0/24 to any of the internal hosts, allow the traffic from the internal hosts towards 10.0.0.0/24 and expose the virtual machines on the web using port forwarding. Do you think this setup is safe? Can you suggest any improvement or a better/safer approach? Thanks in advance!

    Read the article

  • Persistent TCP connection in DMZ

    - by G33kKahuna
    A vendor is requesting to allow persistent tcp (not port 80) connection between a server in the DMZ and the internal network. I don't have much experience with this setting. Can anyone shed some light on disadvantages of allowing persistent connection? Guidance is much apprciated.

    Read the article

  • Routing from the DMZ to the interior network only

    - by Allan
    I have a home network connected to Verizon's FIOS service. Verizon's ActionTec router is connected to the ONT via coax to establish the MOCA network. My DD-WRT router's WAN port is connected to one of the ActionTec's LAN ports. The DD-WRT router is configured with a static IP address and assigned to the DMZ (this is done so I only have to configure port forwarding once). My issue is that this does not allow computers connected to the DD-WRT to serve streaming audio/video to the MOCA network using Verizon's Media Manager. I know that Media Manager uses ports 18001, 5050, and 5060, but I don't know how to forward those ports so that they are only available to the ActionTec's network and not the rest of the internet.

    Read the article

  • Allow access from outside network with dmz and iptables

    - by Ivan
    I'm having a problem with my home network. So my setup is like this: In my Router (using Ubuntu desktop v11.04), I installed squid proxy as my transparent proxy. So I would like to use dyndns to my home network so I could be access my server from the internet, and also I installed CCTV camera and I would like to enable watching it from internet. The problem is I cannot access it from outside the net. I already set DMZ in my modem to my router ip. My first guess is because i'm using iptables to redirect all inside network to use squid. And not allow from outside traffic to my inside network. Here is my iptables script: #!/bin/sh # squid server IP SQUID_SERVER="192.168.5.1" # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client #modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP If you know where did I miss, please advice me. Thanks for all your help and I really appreciate it.

    Read the article

  • Proper Network Infastructure Setup DMZ, VPN, Routing Hardware Question

    - by NickToyota
    Greetings Server Fault Universe, So here's a quick background. Two weeks ago I started a new position as the systems administrator for an expanding health services company of just over 100 persons. The individual I was replacing left the company with little to no notice. Basically, I have inherited a network of one main HQ (where I am situated) which has existed for over 10 years, with five smaller offices (less than 20 persons). I am trying to make sense of the current setup. The network at the HQ includes: Linksys RV082 Router providing internet access for employees and site to site VPN connecting the smaller offices (using an RV042 each). We have both cable and dsl lines connected to balance traffic (however this does not work at all and is not my main concern right now). Cisco Ironport appliance. This is the main gateway for our incoming and outgoing emails. This also has an external IP and internal IP. Lotus domino in and out email servers connected to the mentioned Cisco gateway. These also have an external IP and internal IP. Two windows 2003 and 2008 boxes running as domain controllers with DNS of course. These also have both an external IP and internal IP. Website and web mail servers also on both external and internal IPs. I am still confused as why there are so many servers connected directly to the internet. I am seriously looking to redesign this setup with proper security practices in mind (my highest concern) and am in need of a proper firewall setup for the external/internal servers along with a VPN solution about 50 employees. Budget is not a concern as I have been given some flexibility to purchase necessary solutions. I have been told Cisco ASA appliance may help. Does anyone out in the Server Fault Universe have some recommendations? Thank you all in advance.

    Read the article

  • Blade Enclosure, Multiple Blade Servers, Whats the closest approximation to a DMZ?

    - by codeulike
    I appreciate that to get a proper DMZ, one should have a physical separation between the DMZ servers and the LAN servers, with a firewall server in between. But, in a network consisting of a single Blade Enclosure containing two or more Blade servers, whats the closest approximation to a DMZ that could be designed? More details: Virtual servers, mostly Windows, running in a VMWare environment on the Blade servers, and physical firewall box between the Blade enclosure and the internet.

    Read the article

  • How can I make my livebox route to my external IP address for a computer in the DMZ?

    - by Noli
    I have a sagem livebox 2 (Fiber optic model), and have placed my computer in a DMZ. People from outside of my network can access my comp fine via its external dyndns.org address, yet when I try to call the public dyndns.org address from inside my network, I get redirected to the internal admin site on the router. How can I make it so that I can see my comp from the public address like everyone else? What kinds of questions should I be asking or looking into? Thanks

    Read the article

  • Connection between Windows Web Server in DMZ and Windows Application Server and MS SQL Database Server within LAN [closed]

    - by user1345260
    Excuse me for being naive. But I'm a newbie. We have a Windows Web Server within DMZ and a Windows Application Server and MS SQL Database Server. What ports do we open for connection between them? For example: Someone opens the Data Driven Website on the Web Server and they should be able see the data that the website is trying to access from the Database. Currently, I'm planning to open the following ports on the Web Server to establish the access, 80 HTTP 443 HTTPS 21 FTP 3389 RDP 53 DNS 1433 MS SQL Server Please validate my assumption. I would highly appreciate your help. Also, please provide me any articles on this topic so that I can read.

    Read the article

  • Oracle Application in DMZ (Demilitarized Zone)

    - by PRajkumar
     Business Needs Large Organizations want to expose their Oracle Application services outside their private network (HTTP/HTTPS and SSL). Usually these exposures must exist to promote external communication. So they want to separate an external network from directly referencing an internal network   Business Challenges ·         Business does not want to compromise with security information ·         Business cannot expose internal domain or internal URL information   Business Solution DMZ is the solution of this problem. In Oracle application we can achieve this by following way –   ·         Oracle Application consists of fleet nodes (FND_NODES) so first decide which node have to expose to public ·         To expose the node to public use the profile “Node Trust Level” ·         Set node to Public/Private (Normal -> private, External -> public) ·         Set "Responsibility Trust Level" profile to decide whether to expose Application Responsibility to inside or outside firewall         Solution Features   ·         Exposed web services can be accessed by both internal and external users ·         Configurable and can be very easily rolled out ·         Internal network and business data is secured from outside traffic ·         Unauthorized access to internal network from outside is prohibited ·         No need for VPN and Secure FTP server   Benefits  ·       Large Organizations having Oracle Application can expose their web services like (HTTP/HTTPS and SSL) to the internet without compromise with security information and without exposing their internal domain   Possible Week Points  ·         If external firewall is compromised, then external application server is also compromised, exposing an attack on E-Business Suite database ·         There’s nothing to prevent internal users from attacking internal application server, also exposing an attack on E-Business Suite database   Reference Links  ·         https://blogs.oracle.com/manojmadhusoodanan/tags/dmz

    Read the article

  • How to Setup Sharepoint Extranet to authenticate against a dmz AD

    - by Satish
    I have a web app which is extended to extranet for our clients to access. We have setup a different AD server and domain for dmz and clients have to be authenticated against that domain. I'm little confused about the setup especially what all web.config files I have to update. Do I have to update the web.config file for Central admin site and the extended web app. According to this blog I need to do update both, but as soon as I make the changes in the web.config for central admin, central admin site stops working. Here is what I added to the central admin web.config file between /Sharepoint and system.web I have this <connectionStrings> <add name="DMZConnectionString" connectionString= "LDAP://dmz.xxx.com:389/OU=Clients,DC=dmz,DC=xxx,DC=com "/> Between system.web and securityPolicy <membership defaultProvider=”DMZADProvider“> <providers> <add name="DMZADProvider" connectionStringName="DMZConnectionString" connectionUsername="DMZ\ldapUser" connectionPassword="Password" enableSearchMethods="true" attributeMapUsername="userPrincipalName" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership> I know the connectionusername and password works becuase I use the same in SSP for importing profiles. Any idea what might be causing the error?

    Read the article

  • Best practice for authenticating DMZ against AD in LAN

    - by Sergei
    We have few customer facing servers in DMZ that also have user accounts , all accounts are in shadow password file. I am trying to consolidate user logons and thinking about letting LAN users to authenticate against Active Directory.Services needing authentication are Apache, Proftpd and ssh. After consulting security team I have setup authentication DMZ that has LDAPS proxy that in turn contacts another LDAPS proxy (proxy2) in LAN and this one passes authentication info via LDAP (as LDAP bind) to AD controller.Second LDAP proxy only needed because AD server refuses speak TLS with our secure LDAP implemetation. This works for Apache using appropriate module.At a later stage I may try to move customer accounts from servers to LDAP proxy so they are not scattered around servers. For SSH I joined proxy2 to Windows domain so users can logon using their windows credentials.Then I created ssh keys and copied them to DMZ servers using ssh-copy, to enable passwordless logon once users are authenticated. Is this a good way to implement this kind of SSO?Did I miss any security issues here or maybe there is a better way ofachieving my goal?

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

1 2 3 4 5 6 7 8 9 10  | Next Page >