5:27 a.m.
Hello,
I have network consisting out a LAN,WLAN,DMZ and a PRODUCTION network, separated by a
firewall that performs the routing and connections to the outside world.
I want to introduce Identity management using a FreeIPA server for my network. Most client
machines will be on the LAN network, but not all.
Most servers reside on the PRODUCTION network
I am trying to figure out where to place the FeeIPA server in this network.
I want to be able to authenticate all servers,client machines and also be able to
authenticate client machines that are connected via a VPN connection that is hosted on the
firewall.
Sorry for having to ask this. I have been looking around on the net and this list but
found little help on this topic.
Any advice would be welcome.
Kind regards,
Rob.
7:52 a.m.
New subject: where to place the freeipa server in a segmented network
On Fri, 2020-05-08 at 10:27 +0000, Rob van Halteren via FreeIPA-users
wrote:
Hello,
I have network consisting out a LAN,WLAN,DMZ and a PRODUCTION network, separated by a
firewall that performs the routing and connections to the outside world.
I want to introduce Identity management using a FreeIPA server for my network. Most
client machines will be on the LAN network, but not all.
Most servers reside on the PRODUCTION network
I am trying to figure out where to place the FeeIPA server in this network.
I want to be able to authenticate all servers,client machines and also be able to
authenticate client machines that are connected via a VPN connection that is hosted on the
firewall.
Sorry for having to ask this. I have been looking around on the net and this list but
found little help on this topic.
Any advice would be welcome.
I placed my IdM server in the Lan, and then poked holes in the firewall.
In your case placing it in PRODUCTION would be just as fine, as long as all other networks
can route to it.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
8:17 a.m.
New subject: where to place the freeipa server in a segmented network
Hi
At the one end of things you might want to secure your IPA server in your production
network however this might not be reachable from other networks (your network policy.) At
the other end of things you might want to place it in your most accessible network however
then the system is more at risk from outside involvement. Worth remembering there is no
"read only" version of IPA (yet.) The point here is that if you have some
secured IPA instances in production connected to IPA servers outside of production then
your whole IPA infra is exposed by the member in the weakest security zone.
We run out IPA infrastructure globally with VPN connected sites, no issue there. I
don't have experience of road warrior VPN clients though. I'm not sure how IPA
behaves when hosts connect with possibly different FQDNs for example.
Regards
Angus
1446
days inactive
1446
days old
freeipa-users@lists.fedorahosted.org
2 comments
3 participants
participants (3)
-
Angus Clarke -
Rob van Halteren -
Simo Sorce