I'm using Pfsense with 3 interfaces : LAN, DMZ and WAN. The LAN contains my Domain Controller and my main forest of course (abc.com), the DMZ contains some web servers. The other forest is located somewhere else on the internet and therefore is on the WAN interface. Following a strict policy, i totally blocked trafic from WAN to LAN and permitted only HTTP/HTTPS from WAN to DMZ. My question is what is the best way to establish a trust relationship between the two forests (WAN -> LAN) SAFELY. Opening the ports for the specific protocols needed seems risky, other people discourage using a read only domain controller in the DMZ, So what's the most secure way to do it ?
Asked
Active
Viewed 277 times
1 Answers
2
I'd say you'd first need to establish a VPN tunnel between the two sites first, and then set up the trust, that way you're not exposing critical AD infrastructure to the Internet directly. IPSec/IKEv2 is the current best practice for a site-to-site VPN-tunnel.
Stuggi
- 3,366
- 4
- 17
- 34
-
Is it possible to setup a site to site vpn when both networks have dynamic ip on their wan interface (assuming they use NAPT)? – Milorn Ovivias Nov 06 '20 at 01:12
-
IKEv2 supports hostnames as the endpoint, so with Dynamic DNS service (for example Cloudflare), you can set it up even with dynamic IPs. – Stuggi Nov 06 '20 at 09:14
-
1Yes, IKEv2 would be the way to go - fast, easy (compared to v1) and dynamic. – bjoster Nov 08 '20 at 12:19