Posted on 02-09-2021 11:46 AM
Hey all - I'm trying to set up the infrastructure for ADCS Connector, and the web-facing requirement forces me to put it in a DMZ. We are setting up ADCS as our internal CA.
There seems to be a requirement to have the ADCS Connector in a domain with a trust relationship to the domain hosting the CA. Has anyone done this? That would mean taking an external AD domain and establishing a trust to an internal domain, or extending the internal domain to the DMZ. Both seem like security risks.
If anyone set up the ADCS Connector in the DMZ, I'd appreciate any help in understanding how you did it. Thanks!
Posted on 06-25-2021 01:35 AM
Can you share your experiences? We have the same question. From a security point of view, we do not want a trust relationship with the internal network from the DMZ. We are curious how other organizations deal with this?
Posted on 06-25-2021 06:23 AM
We ended up having a section of the DMZ already quarantined off for this type of activity. So we put our ADCS connector server there, heavily locked down by Firewalls on each side, only allowing communication to the ADCS server and a domain controller.