public web server inside domain (trusted network)?

Greetings! I have a third party application, a web server, that must be inside my trusted network and a member of our active directory domain to work properly.

My experience has always been to put web servers out of the trusted network inside a dmz. But, this specific web server MUST be inside my active directory "trusted network".

Is this normal practice? Is this safe? I am worried about putting an https webserver inside my trusted network so that it becomes a member of my active directory domain.

If this is normal practice, is it is a simples as putting the web server inside my trusted lan, adding it to my active directory, and adding an https proxy? is this even safe? How can I make it safe?

Comments

  • Why not ask this question to the third party application provider?

    "safe" like many things, is in the mind of the beholder...

  • Hmm. Strange response. Thanks Bruce.

  • Shouldn't a software vendor be able to explain why (and how) their app is secure?
    And address issues of accessing your AD in a secure way from a DMZ - or not ???

    Not so odd a response IMHO.

    If they can't - maybe use of that app should be reconsidered....

  • I find vendors who that something MUST BE a certain way often only need a few ports open or a few changes made to make it work perfectly. "MUST BE" is too big of a blanket statement when I hear it.

    I would WHY it "must be" inside on the LAN. I'd ask them to explain EXACTLY WHY it has to be on the LAN.

    Gregg Hill

  • One thing from popular American culture that is adopted down here is the phrase, "trust no one" from the X-files show.. I personally would not be running a public web server on my trusted network, and I would be thinking long and hard about connecting it to my AD server.

    As Bruce says, the vendor really needs to make a strong case for that configuration, and make sure that it is in writing - otherwise your boss and the vendor may leave you hanging if anything goes wrong.

    Adrian from Australia

  • Thanks Greggmh123. It's a SIS for a University. Needs to be part of the domain. That's the way it was built and certified.

    Of course I asked them about this. Of course their response is and will always be "yes, it's safe".

    I posted here in the "WatchGuard User Forums" to receive constructive feedback, tips, suggestions, etc...

    I have it in the dmz now, i have made it work 90% (with port forwards to the db and api) but the last 10% doesn't work. It needs to be part of my domain to work. I don't mind putting it inside my trusted lan and joining it to my domain. It just seems odd. If other watchguard users and admins do this already, then it would be something that I just haven't learned or been accustomed to.

    My question is "is it normal practice, do other people put their web servers inside their trusted lan, join it to the domain, and how do you keep it safe? Just tips and how others make this work would be useful.

  • James_CarsonJames_Carson Moderator, WatchGuard Representative
    edited October 2020

    Hi @Noel

    From the firewall's perspective, traffic to/from the server can be made secure. The issue lies in that that server in question also has direct access to anything on that subnet without going through the firewall if it's on that same subnet. The WatchGuard can't do anything about traffic that doesn't traverse it.

    If you have an appropriate software firewall on that and other systems, it'd be a good start, but having it out on a DMZ adds another layer of security.

    The risk would be, if that system got infected with one of the popular ransomware viruses that are oh-so-prevalent today that it'd probably be able to spread across that subnet easily.

    The problem is, also, that it has to work. If it doesn't do that, it's as good as useless. Balancing usability and security is the problem.

    -James Carson
    WatchGuard Customer Support

  • Q: is it normal practice, do other people put their web servers inside their trusted lan, join it to the domain, and how do you keep it safe?

    A: for many of us - no absolutely not normal. For others - sure - that is what we do
    Join to an AD domain? - depends on the requirements of the web server - many don't have that requirement at all.
    Obviously some of us would try to keep the web server in a DMZ, and open as few ports as possible to the trusted LAN.

    "Of course their response is and will always be "yes, it's safe"."
    Sounds like saleman-speak to me. They normally have no idea about anything related to security. Most software companies have some sort of tech engineering support behind the salesman, who might have a clue.
    Just my experience.

  • Understood! Thank you all :)

Sign In to comment.