Hi Collective,
We're looking to implement a forest with one domain in our DMZ into which there will be a number of applications, initially MS EPM with others to follow. Anyway there is a requirement for external partners and internal users (hence the trust) to access these resources.
To enable this we proposed a one way forest to forest trust with the DMZ trusting the internal forest, external partner accounts will be in the DMZ forest\domain. Only the required ports on the firewall would be opened to enable the trust and ldap.
This is a design option in an MS whitepaper and I also know of one large corporate doing the same.
Our security policy chap here is saying this is a no no and goes against good practice.... given the coporate I referred to generally adhere to good practice, I'm beginning to wonder...
So my question is, from your experiences have you seen this implemenatation before? does it really go against good practice?
Cheers,
We're looking to implement a forest with one domain in our DMZ into which there will be a number of applications, initially MS EPM with others to follow. Anyway there is a requirement for external partners and internal users (hence the trust) to access these resources.
To enable this we proposed a one way forest to forest trust with the DMZ trusting the internal forest, external partner accounts will be in the DMZ forest\domain. Only the required ports on the firewall would be opened to enable the trust and ldap.
This is a design option in an MS whitepaper and I also know of one large corporate doing the same.
Our security policy chap here is saying this is a no no and goes against good practice.... given the coporate I referred to generally adhere to good practice, I'm beginning to wonder...
So my question is, from your experiences have you seen this implemenatation before? does it really go against good practice?
Cheers,
