0

Our organization is very comfortable with the idea of homing the IIS portion of a user app in the DMZ, which authenticates them to connect inside. This is clearly not the roadmap for RDS 2012. We're not going to get the go-ahead to create any kind of DC in the DMZ, and putting a domain member out there seems to defeat its purpose entirely.

I'm really at a loss for a direction at this point, as putting the Gateway role in the DMZ as a domain member seems to be the closest MS-supported approach to this problem. Is there any way to have my cake (force the users to authenticate before passing them on to LAN servers) and eat it, too (keep AD out of my DMZ)?

Thanks for any input.

Kara Marfia
  • 7,892
  • 5
  • 33
  • 57
  • A lot of organizations have domain members in a perimeter network. Perimeter networks are typically more segmented, and disallow access to the Internet, other perimeter networks, or other segments/VLANS, but I don't think a domain member is an unusual practice. – Greg Askew Feb 15 '17 at 16:44
  • I'd be on board with that - for whatever reason, I'm faced with some unwillingness to change on this issue. Starting to think this project is going to fall apart if I can't crack that nut. – Kara Marfia Feb 15 '17 at 20:24

0 Answers0