How to do a Linux DMZ Intranet with Windows authentication?

Digital certificates
Identity & Access Management
Incident response
Intrusion management
Microsoft Windows
Network security
Security tokens
Single sign-on
I am designing a new network that has a DMZ containing Linux webservers and behind a firewall separating the DMZ a Windows backoffice . I want to run our company Intranet on the DMZ side using Linux but I want to limit access to employees both from the Internet and behind the firewall using windows 2003 logon authentication. Is this doable? How do I cinfigure the firewall? Are there any resources out there that someone can point me to? Thanks in advance.

Answer Wiki

Thanks. We'll let you know when a new response is added.

What kind of architecture are you planning? Will this be a trihomed firewall or do you plan on two firewalls with the DMZ in the middle? Do you need failover capability? How secure does this need to be? What services will you allow in/out?
What kind of firewall do you plan on using? There are good firewalls based on unix/linux, windows, and appliances. My personal prejudice for the most secure, configurable, and inexpensive firewall for the majority of needs is openbsd running pf. The disadvantage here is unix user hostility. If you are using linux a good book to start with is the new riders book on iptables. There are also many prepackaged firewalls out there but most seem to be designed to protect your home network.
For external access by employees, I assume you are planning VPNs. They can be accommodated by a variety of platforms using radius authentication from your windows domain controllers.
Some of your description is confusing. Normally the term intranet is used to describe the company network behind the internal firewall, not the DMZ.
I agree with using unix/linux systems on the DMZ. Historically, this has been safer although the facts may be changing now. Regardless of the OS, all bastion hosts and firewalls need to be hardened. Systems like the cisco pix come that way, which is part of the reason many people have trouble configuring them. There are several books on linux hardening. If you need a reference on hardening windows, check the NSA site.

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Mdiha1
    Firt you need to find what type of firewall you want to implement. e.g. packet filtering, dual(or more) homed, screening subnet etc. A good reference on this is Building Internet Firewalls. You will find very usefull architectural concepts. For more specific information on configuration, defining ACLs etc. It depends on the product you choose. Cisco PIX, CheckPoint FW1 are some examples of very popular firewalls. The user's guide of these products should help you configure your firewall if you decide to go this way. As one responsdant mentioned; in all cases always harden your systems mainly those interfacing with the Internet. For resources on hardening take a look on Amazon and make a search on the Hardening series e.g. Hardening Windows, Hardening Network Infrastructure etc. An additional good resource is Practical Unix & Internet Security. Good luck!
    0 pointsBadges:
  • Zottmann
    Hi!! You've got two excelent replies regarding the firewall architecture that you should use. Regardind the Windows 2003 authentication on the Intranet web site, and assuming you are going to use Apache to to this, there are some authentication modules that you could use, like mod_ntlm and mod_auth_ldap, that work very well. One aproach that you could use is to set up your Intranet web site inside your lan, and place an Apache web server on your DMZ, mapping your Intranet site with reverse proxy technique (see the ProxyPass directive). Best regards, Carlos.
    0 pointsBadges:
  • ITKEditor expert Mark Hinkle (,289620,sid39_tax300715,00.html) had this to say: This is a pretty common request these days and the answer is not that difficult. What you want to do is configure a proxy server; I would suggest you look at Squid ( to proxy your traffic and then authenticate the traffic from your Windows 2003 logon authentication database using Samba ( Here's a link to Proxy Authentication with Squid ( ********************* HTH, Dana ------------------------------ Dana L. McCurley Editor, Editor, ITKnowledge Exchange AIM: bunnylvr21 Work: 781/657-1496 Cell: 508/308-4897 TechTarget 117 Kendrick St. Ste. 800 Needham, MA 02494
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: