• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

anyone here have CompuCom providing tier one support?

O

oddyager

Diamond Member
My company is outsourcing its Help Desk/Tier One support and in the meeting with them they said one of the requirements they needed was to have our Domain Controllers have direct connectivity to the public internet so THEIR public LDAP server can connect to ours. This would allow authentication to their web ticketing system using our existing AD credentials. NAT my DCs to a public address for that? What? Why can't this be done through private address space across our site-to-site connection which we have so they can remote into our user's desktops? The "technical" guy they had there mumbled some incoherent answer that didn't make any sense at all. He mentioned something about latency, and routing problems, none of which explains why this needs to be done across public internet. Being pressed further he started to become defensive and offered no further explanation.
 
Last edited:
While Windows can actually survive on the open internet... I would be extremely concerned about putting my authentication system out there. You could inline firewall the system on to the public web and have a tight policy that is basically "allow" only from their LDAP systems IPs.

I would press on the site to site question if the company is already in, if not I would bring this up as the companies "lack of regard for security."
 
Unfortunately too late. 🙁 Like many decisions this crappy company has made technology groups were never engaged until after the fact.
 
oddyager said:
Unfortunately too late. 🙁 Like many decisions this crappy company has made technology groups were never engaged until after the fact.
Click to expand...

Then make absolutely sure that in the contract there is verbiage that places liability of authentication security on CompuCom such that when an infiltration does occur (because they are not using an encrypted tunnel to pass this data), your company has some legal or monetary recourse against them.

This is the most terrible idea I've ever heard.
 
That sounds like a really bad idea. I've never heard of that company, but that method seems horrible...especially if you've got a site-to-site VPN already.
 
Tell them to pound sand, that's a terrible idea. VPN it if anything, even still I would prefer a point to point circuit, none of this wild west internet crap.
 
oddyager, this is a big fail already and pretty much all you need to know about them. (I don't know anything of this company specifically, but this does say it all)

Push hard for a VPN. No matter what, lock everything down as tight as you possibly can.

I would strongly urge you to set up an isolated slave LDAP server (preferably running *IX and OpenLDAP instead of Windows/AD...) and only let these guys touch that server. It sounds like these guys are totally failing on security - do you want them to be able to touch your AD server?

Sounds like a bad situation.
 
Hello Oddyager,
I think (I hope) there must be a misunderstanding. Could you pls contact me directly using the information below ...

And thank-you to all who posted constructive replies; I respect, appreciate and of course support maintaining acceptable levels of security.

Rgds,

Richard Noël
Director, Information Security

CompuCom
836 North Street
Tewksbury, MA 01876
Tel: +1.978.858.7541
mailto:richard.noel@compucom.com
 
Last edited:
Hello Oddyager,
I think (I hope) there must be a misunderstanding. Could you pls contact me directly using the information below ...

And thank-you to all who posted constructive replies; I respect, appreciate and of course support maintaining acceptable levels of security.

Rgds,

Richard Noël
Director, Information Security

CompuCom
836 North Street
Tewksbury, MA 01876
Tel: +1.978.858.7541
mailto:richard.noel@compucom.com
 
Last edited:
Please let us know how this turns out, I can't imagine any company wanting an LDAP server facing the net, at least none that you would want to deal with anyway.
 
I have not worked with this specific app but I had another one that we wanted to connect to our domain. We played with it and I setup a certificate and we only used ldaps and I only allowed their IP's. I didn't use it in the end and I'm still not sure I was really comfortable with it. I wonder if this might be a good case for a read only domain controller.
 
active directory in windows 2008/R2 is setup for expanding over the internet using branch technology for read-only access. they've added a few new tricks under the hood of the latest server
 
Hello,
I've not heard back from Oddyager. If any of you know Oddyager, could you pls let him/her know I'd be happy to further discuss this; my contact information is below ...

Thanks,

Rgds,

Richard Noël
Director, Information Security

CompuCom
836 North Street
Tewksbury, MA 01876
Tel: +1.978.858.7541
mailto:richard.noel@compucom.com
 
RadiclDreamer said:
Please let us know how this turns out, I can't imagine any company wanting an LDAP server facing the net, at least none that you would want to deal with anyway.
Click to expand...


All is well. After speaking with the actual hands touching the infrastructure pieces we are doing this via VPN using private address space. There are other bits and pieces I still want done but my biggest concern about NAT-ing to a public routable address is glad to say, gone.

Still sucks for our Help Desk to lose their jobs... but anyway.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top