Community
Showing results for 
Search instead for 
Do you mean 
Reply

APFW 2009. Webserver on DMZ, not on domain. Impersonator Account?

New Member
Posts: 1
Country: United States

APFW 2009. Webserver on DMZ, not on domain. Impersonator Account?

I am currently installing APFW 2009 on our DMZ webserver.  All of the appropriate ports have been set up for access to our ACT DB server on our domain and i can successfully open up the databases i want.  I can not, however, go through the web site administration process because i can not add an impersonator account that has access to the act db server.  Since the webserver is on the dmz, it cannot add domain user accounts.  Anyone else have a similiar setup that can toss some advice?  Thanks!
Bronze Elite Contributor
Posts: 2,545
Country: New_Zealand

Re: APFW 2009. Webserver on DMZ, not on domain. Impersonator Account?

Interesting problem. With deployment on multiple servers you need the impersonation user to be a domain user which implies a member of the same Active Directory domain. You will require more than just simple packet filter based firewalls. Depending on the nature of your existing DMZ, you may have to spend money on an ISA server. 

 

Two possible solutions using ISA server;

  • Run back to back ISA firewalls, the web server in the DMZ network but make the web server member of the same domain as the database server and configure ISA server for the inter-domain access rules and configure routing tables to allow routing between the DMZ network and the Internal network.
  • Simpler, less costly and possibly less secure would be to have a unihomed ISA server on the DMZ network acting in a reverse proxy role to the web server on the Internal network.   

Security is pretty much a subjective decision as to how secure you would see the second option and of course what money is available. The second option allows you to run ISA as a secondary adjunct to your existing DMZ as distinct from replacing your existing DMZ with an ISA solution.

Graeme Leo
Xact Software - consultants and developers
Follow us on Twitter and check out our Blog