Adaxes

Security Recommendations? Seperate IIS from Adaxes Service?

0 votes

We will be rolling out Adaxes to our customers for self-service. We have a DMZ and then our internal network. Pretty standard network topology. What is the recommended setup for this? Can we have a machine in the DMZ that is just the front IIS web server which ONLY speaks to an internal server which would be the Adaxes service on the internal network?

We are looking for our options for deploying this. What is recommended?

by (80 points)

1 Answer

0 votes
by (18.0k points)

Hello,

Adaxes Web Interface cannot be installed in a DMZ. Adaxes can be installed only on a computer that is joined to an Active Directory domain.
I suggest you install Adaxes Web Interface on an internal server, and open up port 80 on this server.

0

Would this work? What port need to be opened up the internal service that has the Adaxes Service installed? Assume that the internal does not need any firewall rules.

I was looking at What ports does Adaxes use?, will it only use 389 TCP & 135 TCP? What about it using LDAPS 636 TCP?

Thanks, this could be a good FAQ article too ;)

by (80 points)
0

Hello,

Yes, it will work. The Web Interface will use port 54782 to communicate with the Adaxes service. To obtain information from AD, the Web Interface will need the following ports: 389, 135, and 1028. Port 636 is used by the Adaxes service only.

by (18.0k points)
0

Is that a security concern using LDAP 389 in a DMZ? All that traffic is unencrypted. Is there a way to use LDAPS 636 to obtain information from AD instead of LDAP 389? Thanks

by (80 points)
0

Adaxes Web Interface uses port 389 to obtain non-security-sensitive data from AD (e.g. information on the Adaxes service connection point).
The Web Interface communicates with Active Directory via the Adaxes service using an encrypted TCP channel. All the Active Directory data is passed through this encrypted channel.

by (18.0k points)
0

54782, 389, 135, and 1028 are those only opened up to the internal Adaxes server? Or is 54782 opened to the internal Adaxes service and 389, 135, and 1028 opened up to the Domain Controllers? What I really am asking, is what is the destination of these ports that are being opened up from the firewall?

I apologize for so many questions, but since this is in regards of HIPPA data detail is a must.

by (80 points)
0

54782 should be opened to the Adaxes service,
389, 135, and 1028 should be opened up to the Domain Controllers.

by (18.0k points)

Related questions

0 votes
1 answer
Removing Adaxes service from tree

I was doing some testing and opened up another Adaxes Service in "Other". How do I remove this from the tree or disconnect from it?

asked Apr 21, 2023 by Homelander90 (330 points)
0 votes
1 answer
How can we export logs to CSV from the Adaxes Service?

We would like to be able to export logs from the Adaxes service? Is there a way to do this either through the service or reporting?

asked Oct 31, 2022 by scoutcor (120 points)
0 votes
1 answer
Connecting to Adaxes service from C# code

Hi I'm trying to connect to remote Adaxes service from C# program. Using sample code from "Writing ADSI scripts" page in the docs. Added DLLs, here is my code: static void Main( ... adsNS = new AdmNamespace(); I'm not sure which config file it's asking for. V.

asked Feb 5, 2018 by xirurg (100 points)
0 votes
0 answers
Connect to the Adaxes service from outside the Domain

Hi Forum, I wan't to connect to the Adaxes Service from outside the Domain. So i try to connect this way: # Connect to the Adaxes service $admNS = New-Object "Softerra ... can i connect to the Adaxes Service from a host outside the domain? Thanks for your help

asked Nov 6, 2015 by esoAdxAdmin (650 points)
0 votes
1 answer
I'm using IIS to reverse proxy to the adaxes selfservice web interface.

I'm trying to provide the capability for ID admin users to perform AD tasks using the web interface. I am not able to edit attributes for an existing user when ... any attribute it gives me an error "An unexpected response was received from the server".

asked Apr 8, 2021 by atnorman (120 points)
3,346 questions
3,047 answers
7,782 comments
544,982 users