Infrastructure design questions regarding multi-forest, one-way trust scenarios

I review the following articles for multi-forest/one-way trust environment and I still need some help to clarify what need to be done:

Scenario 1

  • We have DomainA and DomainB (Separate Forest, DomainB trust DomainA, one way through DMZ/Firewall).
  • We have full SCCM Infrastructure on Domain A and we want to limit the direct traffic from B to A by placing some site system roles on DMZ (e.g. MP, DP, SUP, FSP and ACWP) to manage DomainB joined workstations and servers.

Question 1: how to make each workstations (from DomainA and DomainB) to find correct ACWP if I want to limit the traffic from DomainB joined machines only up to DMZ level?

Assuming that we place ACWP on the DMZ hosted, DomainB joined Site Servers, my guess is

  • We can set different Agent settings based on the collection rules (e.g. per Domain) to specify default ACWP
  • or we can come up with a generic Virtual DNS (e.g. http://ApplicationCatalog/ ) and let DNS resolve different IP (one for DomainA and the other for DomainB). This way, we can come up with 1 single agent settings for both DomainA and DomainB and make them fallback to correct ACWPs.

Scenario 2:

On similar topic, our security team's mandate is to limit direct communication FROM DomainB machine to DomainA's datacenter (because we don't trust domainB). So we want to have 6 unique traffic and we want to absolutely block any possibility of the last case:

  1. From DataCenter to DMZ hosted Site Server : Allowed
  2. From DMZ hosted Site Server to DataCenter : Allowed
  3. From DMZ hosted Site Server to DomainB Client : Allowed
  4. From DomainB Client to DMZ hosted Site Server : Allowed
  5. From DataCenter to DomainB Client (directly): NOT ALLOWED
  6. From DomainB Client to DataCenter (directly): NOT ALLOWED

Based on the technet/blog articles, we identified that the client initiated traffic can be limited to DMZ hosted Site Servers as long as we place the follow roles on DomainB joined Server:

  • MP
  • DP
  • SUP
  • FSP
  • ACWP

and the following is the list of ports to open on the DMZ/Firewall.

Question 2: Do you think this will work meeting the security requirement (no traffic from DomainB machines to DomainA's datacenter)?

Question 3: There are a lot of good articles about MP, DP and SUP (starting with SP1) placement on the foreign forest/domain joined machine. But personally, never tried FSP and ACWP on this scenario before and there is not much of information about them. Will it be OK this way? or will there be any better way to do this?

Question 4: If the traffic 5 (From DataCenter to ClientB) is not allowed and I place some sub-DPs under "DP-on-DMZ", does sub-DPs pull the contents from "DP-on-DMZ" if I have MP role on DMZ?

Thanks in advance.

Young-

_________________________________________

Client Application Catalog Website Point
- HTTP  TCP:80
- HTTPS  TCP:443

Client to Branch Distribution Point (Out of scope)
- SMB  TCP:445

Client to Cloud-Based DPs (Out of scope)
- HTTPS  TCP:443
- HTTP  TCP:80

Client to Distribution Point
- HTTPS TCP:443
- SMB (For Multicast)  TCP:445
- Multicast UDP:63000-64000

Client to Domain Controller (N/A as this would be local traffic)
- Global Catalog LDAP  TCP: 3268
- Global Catalog LDAP SSL  TCP: 3269

Client to Fallback Status Point
- HTTP  TCP:80

Client to Management Point
- Client Notification(New for SCCM2012): TCP 10123
- HTTP  TCP:80
- HTTPS  TCP:443

Client to PXE Service Point (Out of scope)
- DHCP UDP:67,68
- TFTP (Trivial FTP) UDP:69
- Boot Information Negotiation Layer (BINL) UDP:4011

Client to Server Locator Point (Not required for SCCM2012 as this is merged into MP)
- HTTP TCP: 80

Client to Software Update Point
- HTTP TCP:80 or 8530
- HTTPS TCP:443 or 8531

Client to State Migration Point (Out of scope)
- HTTP  TCP:80
- HTTPS  TCP:443
- SMB  TCP:445

Client to System Health Validator Point (Out of scope)
- See Windows Network Access Protection Documentation 

Client (Mac) to Enrollment Proxy Point (Out of scope)
- HTTPS  443

Client (Mobile) to Enrollment Proxy Point (Out of scope)
- HTTPS  443

Client (Mobile) to Windows Intune (Out of scope)
- HTTPS  443

_________________________________

 

December 21st, 2012 7:49pm

Yes, I know this is an old post, but Im trying to clean them up. Did you solve this problem, if so what was the solution?

Free Windows Admin Tool Kit Click here and download it now
January 16th, 2015 10:55pm

Since no one has answer this post, I recommend opening  a support case with CSS as they can work with you to solve this problem.

April 18th, 2015 10:11am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics