Setting up AD CS in DMZ

mark_milano
New Contributor

Hey all - I'm trying to set up the infrastructure for ADCS Connector, and the web-facing requirement forces me to put it in a DMZ. We are setting up ADCS as our internal CA.

There seems to be a requirement to have the ADCS Connector in a domain with a trust relationship to the domain hosting the CA. Has anyone done this? That would mean taking an external AD domain and establishing a trust to an internal domain, or extending the internal domain to the DMZ. Both seem like security risks.

If anyone set up the ADCS Connector in the DMZ, I'd appreciate any help in understanding how you did it. Thanks!

2 REPLIES 2

benbos
New Contributor

Can you share your experiences? We have the same question. From a security point of view, we do not want a trust relationship with the internal network from the DMZ. We are curious how other organizations deal with this?

mark_milano
New Contributor

We ended up having a section of the DMZ already quarantined off for this type of activity. So we put our ADCS connector server there, heavily locked down by Firewalls on each side, only allowing communication to the ADCS server and a domain controller.