Hosting AD RMS Servers in a Perimeter Network, with Directory Services Hosted in an Internal Network
Applies To: Windows Server 2008, Windows Server 2008 R2
A screened or protected perimeter network segment, also called a demilitarized zone (DMZ), is a network segment isolated from both the Internet and the internal network through firewalls. The perimeter network segment can be implemented through either a single firewall with three network connections (commonly referred to as a “three-legged firewall”) or through two separate firewalls (one located between the Internet and the perimeter network and another located between the perimeter network and the internal network). This is commonly referred to as a dual-screened or front-end/back-end firewall configuration.
The following diagram depicts a typical physical topology for the Active Directory Rights Management Services (AD RMS) servers (and their associated database servers) in the perimeter network.
This configuration does not impose significant demands on the external firewall because all of the access to the AD RMS servers from the Internet is done through ports 80 and 443. (SSL use is the recommended configuration.) However, the internal firewall must be configured to allow the AD RMS servers and database servers to communicate with directory servers in the internal network with a much wider set of network protocols, which include the following:
Kerberos (88/tcp and 88/udp)
DCE RPC (135/tcp, 135/udp, dynamic ports)
NetBIOS/SMB (137 – 139, 445/tcp and udp)
LDAP, LDAP to GC, ICMP, NTP, DNS and others
These ports must be open between the AD RMS servers and database servers, and the internal domain controllers and name servers (outbound from the perimeter network). In addition to this, ports 80 and 443 must be open between the AD RMS servers and the internal network (inbound to the perimeter network) to allow internal clients to access the AD RMS cluster.
This architecture provides the following advantages:
It helps protect the AD RMS servers from malicious users, both internal and external, by allowing access to those servers only through ports 80 and 443.
It requires a single AD RMS infrastructure, with no special requirement for licensing-only servers.
It allows for simple filtering rules on the external firewall, which is typically the most critical.
All AD RMS services are potentially available from the Internet, including enrolling clients, eliminating the need for clients to connect to the internal network, even for initial setup.
On the other hand, this configuration has some disadvantages that make it undesirable in some scenarios:
The AD RMS servers might be exposed on port 80/tcp and 443/tcp because some firewalls do not perform application-layer inspection.
The connection to the intranet requires many open ports. These include dynamic port ranges to support Active Directory domain membership, which can make it more difficult to secure and manage. A connection with many open ports can also consume lots of resources on the firewall.
Some functions, such as enrolling clients and sub-enrolling AD RMS servers, are potentially available from the Internet, requiring careful management of the servers to reduce the risk.
If an AD RMS server in the perimeter network is compromised, the risk of internal network compromise is increased because critical ports are open.
Despite these disadvantages, this is a common architecture choice when you want a single AD RMS cluster and no traffic from the Internet in the internal network, even when the traffic is filtered or inspected at the perimeter network.