IPSec in frontend/backend

IPSec in frontend/backend

Post by RR » Thu, 27 Mar 2003 07:52:43



I'm setting up a frontend/backend and trying to limit the number of ports
needed between the front and back.  The frontend will be placed in a DMZ,
the backup on the internal LAN.  I'm considering using IPSec which according
to the MSFT document, says you need to open 50, 51, 500, (AH ESP IKE) and 88
(kerberos) between the front and back.

I installed Network Monitor (the OS included, not SMS version) and all
traffic from the front to the back is over ESP.  I did notice that the
frontend also trades pings with a domain controller (different system than
the backend).  I believe this is the DSA ping referred to in the MSFT
document and can be disabled in the registy.  I did not notice any other
traffic going from the frontend to the domain controller (although I have
only tested for a handful of hours so far).

I was wondering what ports are needed for the frontend to communicate with a
domain controller (dns, kerberos, ldap?).  At the very least, the system
will need to communicate with a DC for its domain membership.

Also, has anyone implented this type of solution, and if so, what are your
thoughts on it?

TIA

 
 
 

IPSec in frontend/backend

Post by Neil Hobso » Thu, 27 Mar 2003 17:15:08


My thoughts are that putting a FE server in a DMZ is more trouble than it's
worth.  I'd consider putting an ISA server in the DMZ, the FE server on the
internal network, and reverse publishing the FE server via the ISA server.

--
Neil Hobson
Silversands

http://www.silversands.co.uk


Quote:> I'm setting up a frontend/backend and trying to limit the number of ports
> needed between the front and back.  The frontend will be placed in a DMZ,
> the backup on the internal LAN.  I'm considering using IPSec which
according
> to the MSFT document, says you need to open 50, 51, 500, (AH ESP IKE) and
88
> (kerberos) between the front and back.

> I installed Network Monitor (the OS included, not SMS version) and all
> traffic from the front to the back is over ESP.  I did notice that the
> frontend also trades pings with a domain controller (different system than
> the backend).  I believe this is the DSA ping referred to in the MSFT
> document and can be disabled in the registy.  I did not notice any other
> traffic going from the frontend to the domain controller (although I have
> only tested for a handful of hours so far).

> I was wondering what ports are needed for the frontend to communicate with
a
> domain controller (dns, kerberos, ldap?).  At the very least, the system
> will need to communicate with a DC for its domain membership.

> Also, has anyone implented this type of solution, and if so, what are your
> thoughts on it?

> TIA


 
 
 

IPSec in frontend/backend

Post by clindel » Wed, 09 Apr 2003 06:40:03


Tia what is the name of the MSFT doc that you are refering to here?

"I'm considering using IPSec which according to the MSFT document, says you
need to open 50, 51, 500, (AH ESP IKE) and 88"

Thanks,

Clindell


Quote:> I'm setting up a frontend/backend and trying to limit the number of ports
> needed between the front and back.  The frontend will be placed in a DMZ,
> the backup on the internal LAN.  I'm considering using IPSec which
according
> to the MSFT document, says you need to open 50, 51, 500, (AH ESP IKE) and
88
> (kerberos) between the front and back.

> I installed Network Monitor (the OS included, not SMS version) and all
> traffic from the front to the back is over ESP.  I did notice that the
> frontend also trades pings with a domain controller (different system than
> the backend).  I believe this is the DSA ping referred to in the MSFT
> document and can be disabled in the registy.  I did not notice any other
> traffic going from the frontend to the domain controller (although I have
> only tested for a handful of hours so far).

> I was wondering what ports are needed for the frontend to communicate with
a
> domain controller (dns, kerberos, ldap?).  At the very least, the system
> will need to communicate with a DC for its domain membership.

> Also, has anyone implented this type of solution, and if so, what are your
> thoughts on it?

> TIA

 
 
 

1. frontend/backend topology

hi,
I want to have my exchange2000 server and the active directory on  seperate
computers. It means that first I install Active Directory. then on a
diffferent machine I start to install exchange servere2000 but wthout
installing active directory. but both the machines are in the same domain.so
according to frontend/backend topology it should automatically look up for
the active directory present in the domain. but it is giving me error "
active directory not found"
Plz help me out .
thanks
neerak

2. Public folders have no home

3. FrontEnd/Backend questions

4. disclaimer at the bottom of e-mail.

5. OWA Frontend-Backend Authentication Failure after Windows 2000 SP2

6. Microsoft Stress and Performance Test

7. Exch 2000 and Frontend/Backend Topology

8. Rights needed for Global Address list

9. exchange frontend and backend setup

10. Exch 2k frontend, Exch 5.5 Backend possible?

11. OWA Frontend & Backend server for Exchange 2K

12. outgoing SMTP in frontend/backend setup

13. FrontEnd BackEnd server