| *** humanSupafly has quit (Quit: Page closed) | 07:23 | |
| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 13:35 | |
| *** nowen has quit (Quit: Leaving.) | 14:04 | |
| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 14:04 | |
| *** AccentureDan (0cfa9442@gateway/web/freenode/ip.12.250.148.66) has joined #wikid | 18:57 | |
| AccentureDan | howdy Nick! | 18:57 |
|---|---|---|
| AccentureDan | question for ya | 18:57 |
| nowen | hi | 18:57 |
| nowen | ok | 18:57 |
| AccentureDan | first, which ports need to be opened for the WiKID server to authenticate domain requests? | 18:58 |
| nowen | the tokens use port 80 | 18:58 |
| AccentureDan | okay awesome, same with the auto-authentication? | 18:58 |
| AccentureDan | adding themselves to the WiKID domain as users | 18:58 |
| AccentureDan | with that java applet via web browser | 18:58 |
| nowen | that uses 443 | 18:59 |
| nowen | but - you most likely want that locked down internally anyway | 18:59 |
| AccentureDan | okay so externally facing the Internet 80 and 443 need to be opened | 18:59 |
| AccentureDan | yup | 18:59 |
| AccentureDan | just trying to map out what ports we need opened through our internet gateway and router/firewalls | 18:59 |
| nowen | well - 443 is both the registration and WIKIDAdmin. I recommend only 80 | 18:59 |
| AccentureDan | okay so 80 only facing the Internet, gotcha | 19:00 |
| AccentureDan | internally, what would it need open? | 19:00 |
| AccentureDan | i know radius | 19:00 |
| nowen | 443, 1812 | 19:00 |
| AccentureDan | awesome | 19:00 |
| nowen | if you are using wauth, 8388 | 19:00 |
| AccentureDan | yup. just to be clear | 19:01 |
| AccentureDan | what exactly is wauth used for again? | 19:01 |
| nowen | it is our API. Example.jsp and ADRegister use it, but the do it locally. you could move those scripts to another server | 19:01 |
| nowen | but that server would need to be a wauth network client | 19:02 |
| nowen | and use their own cert | 19:02 |
| AccentureDan | yeah better off just to leave it there, it is going to be isolated anyways | 19:02 |
| nowen | you don't want your ADRegistration exposed on the internet | 19:02 |
| AccentureDan | reason i need these port mappings | 19:02 |
| AccentureDan | makes sense | 19:02 |
| AccentureDan | so would you suggest moving the ADRegistration to another server that isnt facing the Internet? | 19:03 |
| AccentureDan | since our WiKID server will | 19:03 |
| nowen | not if you block 443 from the internet | 19:03 |
| AccentureDan | yep that is the plan. only to have 80 open | 19:04 |
| nowen | I think that is sufficient, but you'll might think otherwise | 19:04 |
| AccentureDan | shouldnt be too difficult to host somewhere else, can look in to it | 19:04 |
| AccentureDan | so even though 443 is blocked, and 80 opened, will users still be able to reach the ADRegister.jsp from the wikid server? | 19:05 |
| nowen | some have created mini-CSR apps out of example.jsp | 19:05 |
| nowen | no - the idea is that they need to be internal to register | 19:06 |
| AccentureDan | so theoretically users would register internally inside of our network first, not from the Internet | 19:07 |
| nowen | it is an additional layer of security | 19:07 |
| nowen | yes, again, that's what we recommend | 19:07 |
| AccentureDan | i completely understand | 19:07 |
| AccentureDan | so internally to our Wikid server 443 would be opened internally, along with 80 and wauth | 19:08 |
| AccentureDan | and only 80 would need to be open externally to allow domain requests to go through | 19:08 |
| nowen | and radius | 19:08 |
| nowen | yes | 19:08 |
| AccentureDan | yup and 1812 | 19:08 |
| AccentureDan | okay gotcha | 19:08 |
| nowen | I think that is it | 19:08 |
| AccentureDan | sorry for all the questions, just want to get a handle on this | 19:08 |
| AccentureDan | awesome let me document this | 19:09 |
| AccentureDan | so the domain controller does not need to be added as a network client, that was only to bypass adding a port exception to our firewall right? for ADRegister.jsp | 19:16 |
| nowen | correct | 19:16 |
| AccentureDan | what port was that again? sorry for all the questions | 19:16 |
| nowen | otherwise, we have to tell people how to use iptables ;-) | 19:17 |
| nowen | 389 | 19:17 |
| AccentureDan | thought so, thanks man | 19:17 |
| AccentureDan | LOL | 19:17 |
| AccentureDan | that would go over like a fart in church | 19:17 |
| AccentureDan | :-P | 19:17 |
| nowen | it's alright - good docs will help | 19:17 |
| nowen | lol | 19:17 |
| AccentureDan | yeah man something we have been falling behind with | 20:02 |
| AccentureDan | just have to keep up on it | 20:02 |
| AccentureDan | especially when network design is going to change with this | 20:03 |
| AccentureDan | ;-) | 20:03 |
| nowen | yep | 20:03 |
| AccentureDan | quick question | 20:15 |
| nowen | ok | 20:15 |
| AccentureDan | remember how we were talking about stripping the domain from the logon request | 20:15 |
| nowen | yes | 20:15 |
| AccentureDan | it would only work if the username matched EXACTLY to what was in Wikid | 20:15 |
| AccentureDan | would you find most users leave that attribute out? | 20:16 |
| AccentureDan | i mean customers* | 20:16 |
| nowen | yes, I think so | 20:16 |
| AccentureDan | right now they just log in with their username, instead of the domain | 20:16 |
| AccentureDan | okay kind of figured | 20:16 |
| nowen | less typing | 20:16 |
| AccentureDan | it doesnt matter much here | 20:16 |
| AccentureDan | exactly | 20:16 |
| AccentureDan | makes it easier :) | 20:16 |
| nowen | but some may have more than one domain | 20:16 |
| AccentureDan | less things for them to mess up hahaha | 20:16 |
| AccentureDan | yeah we only have one | 20:16 |
| *** nowen has quit (Quit: Leaving.) | 21:16 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!