Extranet and firewall - Tech Support

Extranet and firewall: Posted by ADAM / Extranet on January 16th, 2004; Hello

We are thinking in using ADAM for our extranet authentication. Where can we find the answer to this questions

1. The firewall does not allow any trafic. What do we need to do
2. The extranet server is not part of the domain. Will authentication work
3. Can we allow trafic from AD to the Extranet but not from the Extranet to AD
4. We support about 15,000 users. How often can we synchronize the Extranet ADAM and AD NO

Where can we find detail information about implementing ADAM and Identity Integration for extranets with firewall

Thank you
Marc; Posted by Al Mulnick on January 17th, 2004; Interesting.
Essentially, most of these answers relies on your firewall technology
deployed and what you really want to accomplish.
Let me ask a few questions to see if this can be narrowed down.

What applications will use the identity information?
What is the advantage of using AD/AM vs. local groups or even using a full
blown DMZ Active Directory?
Does your firewall use port forwarding as it's mechanism? If so, do you
supply an allow rule and it understands that the conversation is
bi-directional?
What do you plan to use to synchronize directories? MIIS with a one way
push maybe?

Al

"ADAM / Extranet" <anonymous@discussions.microsoft.com> wrote in message
news:3B89D587-BDAF-4FB3-B9E9-83DD46190B09@microsoft.com...; Posted by mgalvez on January 20th, 2004; Hi Al

Q. What applications will use the identity information
A. We develop web applications for our students, staff and faculty. These users (15,000) already have AD accounts

Q. What is the advantage of using AD/AM vs local groups or even using a full blown DMZ active directory
A. I'm not sure what the best solution is
1. Our network administrator do not want to open traffic to the Intranet from the internet server
2. We do not want to create another full blown Active Directory for just extranet users who already have and AD account in the domain
3. We have about 15,000 users; I would like to take advantage of the existing accounts

Q.Does your firewall use port forwarding as its mechanism? If so, do you supply an allow rule and it understands that the conversation is bi-directional?
A. We use Stable Packet Inspection and yes the it understands that the conversation is bi-directional

Q.What do you plan to use to synchronize directories? MIIS with a one way push maybe
A. Maybe, I don't know enough to answer your questio

Thank you for your inpu

Marc; Posted by Al Mulnick on January 22nd, 2004; Understood. If they already have accounts, then I'd say you probably
wouldn't want to issue a second one.
A couple of things are going to have to happen in order to make this work:
1) you'll need a way to get this information to the target directory in the
DMZ/Extranet.
2) so of course you'll need a target directory. I've seen where AD/AM is
able to authenticate users. I'm not happy with it so far because from what
I've seen, it's just not quite up to speed yet in the 1.0 version. I've had
flaky experiences with it and I'm not comfortable recommending it to someone
that wants it like you do. I'd be much more comfortable with a protected
install of Active Directory. I need the servers anyway to host multiple
copies of a directory (for failure tolerance), so why not use Active
Directory? It's a known quantity in your case.

You'll want to configure a one-way push from your internal directory to your
target directory. Best way to handle that is with a meta-directory
application such as MIIS. There are others if that's not going to work for
you. But it offers a way to do what you want. I'd put the target directory
in a separate, protected area of the extranet, but it would only accept
communication from the web servers and the meta-directory server. Much more
control.

BTW, I think you meant Stateful Packet Inspection, didn't you? ;-)

"mgalvez" <anonymous@discussions.microsoft.com> wrote in message
news:28A3A136-E1AA-4890-8CC4-21FB3B80D4C3@microsoft.com...
bi-directional?; Posted by Oriane on January 22nd, 2004; Hello Marco,

I'm dealing with the same type of problem: extranet authentification and
authorization. So if you have find answer to your questions, I would be glad
to hear from you.

The response of question 2 would be interesting for me since the Web server
will be hosted in a provider site.

Also, our client would like to use a PKI and I consider the following
authentication method:

Mapping one-to-one/many: "PKI-based Authentication over SSL/TLS

Using any CA, the Windows Server 2003 Active Directory will allow a user's
X.509 certificate to map directly to the user's account in the Active
Directory. This is accomplished without having to export or import
individual certificates, or provide user names and passwords. Certificate
mapping through the s-channel Security System Provider Interface (SSPI) may
be used by applications such as Internet Information Server, Commerce
Server, remote access services and many others."

Do you think this is the best solution for mapping certificate and a
security principal in AD for an extranet ?

Cheers

Oriane

"ADAM / Extranet" <anonymous@discussions.microsoft.com> a écrit dans le
message de news:3B89D587-BDAF-4FB3-B9E9-83DD46190B09@microsoft.com...

Similar Posts

Windows Security Alerts says that my XP Firewall is off, but Firewall Control Panel says it is on?????? (Microsoft Windows) by Juan I. Cahis
Licensing of Extranet (Small Business Solutions) by PaulK
Kaspersky firewall: every hour my firewall tells me about attack. Is it normal?? (Virus & Worms) by Adriano
Connecting to a PIX firewall using cisco VPM client though a Linksys WAG54G with eth firewall enabled (Routers) by Phil
Firewall Builder 1.1 - Multi-platform firewall management software (Software & Applications) by Gordon Darling