Hello,
I have network consisting out a LAN,WLAN,DMZ and a PRODUCTION network, separated by a firewall that performs the routing and connections to the outside world. I want to introduce Identity management using a FreeIPA server for my network. Most client machines will be on the LAN network, but not all. Most servers reside on the PRODUCTION network
I am trying to figure out where to place the FeeIPA server in this network. I want to be able to authenticate all servers,client machines and also be able to authenticate client machines that are connected via a VPN connection that is hosted on the firewall.
Sorry for having to ask this. I have been looking around on the net and this list but found little help on this topic. Any advice would be welcome.
Kind regards,
Rob.
On Fri, 2020-05-08 at 10:27 +0000, Rob van Halteren via FreeIPA-users wrote:
Hello,
I have network consisting out a LAN,WLAN,DMZ and a PRODUCTION network, separated by a firewall that performs the routing and connections to the outside world. I want to introduce Identity management using a FreeIPA server for my network. Most client machines will be on the LAN network, but not all. Most servers reside on the PRODUCTION network
I am trying to figure out where to place the FeeIPA server in this network. I want to be able to authenticate all servers,client machines and also be able to authenticate client machines that are connected via a VPN connection that is hosted on the firewall.
Sorry for having to ask this. I have been looking around on the net and this list but found little help on this topic. Any advice would be welcome.
I placed my IdM server in the Lan, and then poked holes in the firewall. In your case placing it in PRODUCTION would be just as fine, as long as all other networks can route to it.
Simo.
Hi
At the one end of things you might want to secure your IPA server in your production network however this might not be reachable from other networks (your network policy.) At the other end of things you might want to place it in your most accessible network however then the system is more at risk from outside involvement. Worth remembering there is no "read only" version of IPA (yet.) The point here is that if you have some secured IPA instances in production connected to IPA servers outside of production then your whole IPA infra is exposed by the member in the weakest security zone.
We run out IPA infrastructure globally with VPN connected sites, no issue there. I don't have experience of road warrior VPN clients though. I'm not sure how IPA behaves when hosts connect with possibly different FQDNs for example.
Regards Angus
freeipa-users@lists.fedorahosted.org