Sign in
 
HomeLibraryLearnDownloadsSupportForums
Resources for IT Professionals > Forums Home > Identity Management Forums > Identity Lifecycle Manager > Provision AD through a firewall
Ask a questionAsk a question
Search Forums:
 

AnswerProvision AD through a firewall

  • Tuesday, September 01, 2009 9:46 PMEd Bell Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    We have a number of customers who insist that our AD infrastructure that we use for their accounts be effectively isolated from our normal, internal network.  We would like to be able to provision ID's to those domains, using our existing ILM server that resides on our internal network.

    So my design is such:

         HR <-> MIIS/SQL <-> [Firewall] <-> AD

    To do this, what ports would need to be opened in the firewall?  Just the LDAP port/ports (389/1368)?

    Also, am I correct in thinking that all communication between MIIS and AD is (or can be) encrypted?  Or is it only passwords?

    Thanks.

    Ed
    Ed Bell - Specialist, Network Services, Convergys
     

Answers

  • Tuesday, September 01, 2009 10:19 PMMarkus VilcinskasMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    1
    Sign In to Vote
    Ed,

    you can find in the Technical Reference a complete overview of the ports you need to open.
    You will need more ports if you are also planning on using PCNS!

    You can use SSL for your AD connection.
    Please see "Connect to an Active Directory Forest" in Help for more details on this.

    While you can avoid using MSRPC ports for the regular interaction of your ADMA with AD, you will have to have these ports open for the initial configuration of the MA.
    That is, open the firewall for the MA configuration and then close it again when you are done.

    When you are done with the initialization of the MA, you can use configured preferred DCs, which eliminates the need for the MA to detect a DC.
    The regular DC detection is based on the DsGetDcName API, which requires MSRPCs....

    Cheers,
    Markus

    Markus Vilcinskas, Technical Content Developer, Microsoft Corporation
    • Marked As Answer byEd Bell Wednesday, September 02, 2009 2:20 PM
    •  
     

All Replies

  • Tuesday, September 01, 2009 10:19 PMMarkus VilcinskasMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    1
    Sign In to Vote
    Ed,

    you can find in the Technical Reference a complete overview of the ports you need to open.
    You will need more ports if you are also planning on using PCNS!

    You can use SSL for your AD connection.
    Please see "Connect to an Active Directory Forest" in Help for more details on this.

    While you can avoid using MSRPC ports for the regular interaction of your ADMA with AD, you will have to have these ports open for the initial configuration of the MA.
    That is, open the firewall for the MA configuration and then close it again when you are done.

    When you are done with the initialization of the MA, you can use configured preferred DCs, which eliminates the need for the MA to detect a DC.
    The regular DC detection is based on the DsGetDcName API, which requires MSRPCs....

    Cheers,
    Markus

    Markus Vilcinskas, Technical Content Developer, Microsoft Corporation
    • Marked As Answer byEd Bell Wednesday, September 02, 2009 2:20 PM
    •