|
|
Configuring ADSelfService Plus to Securely Function in a De-militarized Zone (DMZ)
Open -up selective Firewall Ports to facilitate access over the Internet
Enable SSL for Secure Communication over the Internet:
You will need to enable SSL for enhanced security and secure communication by ADSelfService Plus over the Internet. To enable SSL on ADSelfService Plus kindly follow the below steps
Logon in to ADSelfService Plus into the "Self-Service Admin Login" by providing proper admin credentials.
Click on the "Admin" tab ==> "Connection".
Put a tick on the box provided near "Enable SSL Port [https]"
Click on the "Save" to save the settings and restart ADSelfService Plus.
This will enable SSL and a secure communication by ADSelfService Plus over the internet is possible. A valid SSL certificate is to be applied for enabling SSL . Steps to Install a SSL certificate in ADSelfService Plus.
Configuring ADSelfService Plus to Securely Function in a De-militarized Zone (DMZ)
For ADSelfService Plus to be installed in the DMZ (Demilitarized Zone), Port "389" (to communicate with the LDAP Protocol) and Port "135" (to communicate with RPC) are to be opened up in the Firewall along with other dynamic ports.
Section: "Find all Dynamic Ports" highlights the steps for identifying dynamic ports that needs to be opened up in the firewall. We strongly recommend you to run ADSelfService Plus application in Secure Socket Layer (SSL) mode for a DMZ Server Installation. Check the above section on how to enable SSL.
Open -up selective Firewall Ports to facilitate access over the Internet :
(i) When ADSelfService Plus is installed on your local area network with the url accessible across internet :
Open the port on which ADSelfService Plus is running. By default ADSelfService Plus runs on port 8888 and it is configurable.
(ii) When ADSelfService Plus is installed in the DMZ, open the following ports in the Firewall:
Port "389" to communicate with the LDAP Protocol.
Port "135" to communicate with RPC.
Refer section: "Find Dynamic Ports" for other dynamic ports that needs to be opened in the Firewall. These will be used for communication between AD and ADSelfService Plus.
ADSelfService Plus uses Windows ADSI (Active Directory Service Interfaces) to interact with the Active Directory, which in turn uses LDAP (for querying and modifying directory services running over TCP/IP) Protocol on Port 389.
Right now, ADSelfService Plus communicates with the Active Directory using normal LDAP connection. And we have planned to use secured LDAP connections.
Finding / Identifying Dynamic Ports:
ADSelfService Plus uses several other ports which are dynamic. It is required by an administrator to identify all available dynamic ports and open them up in the Firewall. In-order to open-up dynamic firewall ports one can follow the below steps.
Step 1: Open a command prompt in the Domain Controller.
Step 2: Type the following command and execute it in the command prompt.
|
portqry -n "<Your_Domain_Controller_Name>" -e 135 -l resultPorts.txt |
In case you use different port for RPC, use the Port Number in which your RPC is running by replacing 135 in the above command.
Step 3: After executing the above command, open the "resultPorts.txt" from where the command is executed.
Step 4: Find for all the "_tcp" in the "resultPorts.txt" (Ex : ncacn_ip_tcp:100.190.1.2[1142])
Step 5 : The value in the Square Brackets[ ] are the ports which needs to be opened. Make a note of these ports. (Ex: in the above result, 1142 is the port that needs to be opened).
Step 6: Continue with the search until the file ends and open all the identified ports.
|
|