Discussion:
[Freeipa-users] FreeIPA DMZ topology
Aly Khimji
2015-10-07 17:11:52 UTC
Permalink
Hey guys,

Question for you, would having a replica be the ideal solution for
authorizing hosts in a DMZ?

Do you have any use cases for DMZ access/authorization or topologies you
can share for DMZ zones where FreeIPA is used?

Aly
Baird, Josh
2015-10-07 17:18:48 UTC
Permalink
I'm also interested in how people are handling this - especially when using AD Trusts.

When using a trust, the IPA host not only has to communicate with IPA servers, but with potentially every AD domain controller in your HUB site. For us, this is a large number of domain controllers which means we would need a large number of ACL's on our firewalls to permit the IPA DMZ client access to the AD domain controllers.

Any suggestions?

Thanks,

Josh

From: freeipa-users-***@redhat.com [mailto:freeipa-users-***@redhat.com] On Behalf Of Aly Khimji
Sent: Wednesday, October 07, 2015 1:12 PM
To: freeipa-***@redhat.com
Subject: [Freeipa-users] FreeIPA DMZ topology

Hey guys,

Question for you, would having a replica be the ideal solution for authorizing hosts in a DMZ?

Do you have any use cases for DMZ access/authorization or topologies you can share for DMZ zones where FreeIPA is used?

Aly
Aly Khimji
2015-10-07 17:30:33 UTC
Permalink
Yes sorry I should expand on my question as per Josh's point my scenario
also has an AD trust involved.
I recently learned of KDC proxying but I am not sure if replica's and KDC
proxies are the preferred/accepted design solutions for DMZ's

Aly
Post by Baird, Josh
I'm also interested in how people are handling this - especially when using AD Trusts.
When using a trust, the IPA host not only has to communicate with IPA
servers, but with potentially every AD domain controller in your HUB site.
For us, this is a large number of domain controllers which means we would
need a large number of ACL's on our firewalls to permit the IPA DMZ client
access to the AD domain controllers.
Any suggestions?
Thanks,
Josh
*Sent:* Wednesday, October 07, 2015 1:12 PM
*Subject:* [Freeipa-users] FreeIPA DMZ topology
Hey guys,
Question for you, would having a replica be the ideal solution for
authorizing hosts in a DMZ?
Do you have any use cases for DMZ access/authorization or topologies you
can share for DMZ zones where FreeIPA is used?
Aly
Loading...