Two domains - Comunication through a firewall prob

Hi all

I've been wondering how to allow domains to comunicate with each other through the firewall I have. The layout is like this:

| <- County WAN connection
|
#### <- Our firewall/vpn unit
####
| |
| | <- Curriculum Domain / network 172.16.0.x
| +----.. . . . .
|
| <- Admin Domain / network 172.16.10.x
:

Is there any way i could create a trust between the two? Would the AD sync the usernames at all?

Even if that isn't possible for some reason, does anyone happen to know what services I could run between them at all? and has anyone a handy [small-ish] list of ports and services to allow for specific things etc?

I know this sounds confusing - but i'm just trying to think of ways to help ease things between the two networks - and possibly allow SIMS .NET on specific IP computers on the curriculum domain that can talk to the admin network in a limited fashion.

Cheers
Nath

You can set up Trust links with the domains through AD Domains and Trusts.

Are the domains on different sites or are they on the same site?

Sorry - i should have mentioned, both domains are on the same site. I forget schools/establishments have different sites sometimes lol

Both networks coming from that firewall [i.e. the curriculum and the admin] are physically seperate networks and only connect at this firewall.

I know about the AD trusts thingy - its what ports/protocols/etc to set up in the firewall policy that I'm after ;)

Nath.

Are you wanting the full use of Sims ie the electronic registration and Nova T etc? If not you can copy the Sims folder from the admin network reconfigure the connect.ini file and use this copy on the 'C' network as an offline copy.

SIMS was more of a after-thought really. I'm just trying to elliminate the need for different usernames on different domains, as we have staff that use both curriculum and admin.

Not sure quite what i'm looking for, but some sort of comunication would be handy between the two networks

I only have opened up http traffic, vnc [tho it only seems to work one way for some reason] and bromcom registration program that only uses a port to comunicate [that was realy easy to do hehe].

Nath

When you say firewall what exactly do you mean?

ISA Server or something similar?

LEA Firewall or is it just a switch with seperate VLAN's

This maybe overly complicated but how about a VPN between the two then you dont have to worry about too many ports. Your going to need to open DNS 53, 135 for RPC maybe, 445 for AD and probably several others.

@Disease: hehe I mean what I say :P

hardware firewall / vpn / router...

http://www.firebox.uk.com/firebox-x5...wall-p-28.html

Its our own firewall - i set it up - and the connection to the county provides the internet and WAN services etc FYI.


@Chris:
I could create a "Any traffic" link between the IP of the Curiculum DC and the IP of the Admin DC, but maybe that would invite problems hehe

I dont think this model does that kind of setup - a vpn link within itself, though the "Any traffic" link would be the equivelent I'd guess :)

I might try that on Thurs [job interview tomorrow].

Cheers
Nath.

Creating a trust relationship will not synchronise usernames between the two domains, it will simply let you assign access to resources in one domain to users in the other domain.

Seems that if you're opening up machines on the curric network for staff to use SIMS you're also allowing access to your most sensitive data.

As usual it's staff discipline in securing thier logins which is the loophole. Not your problem - just pass that one up.

JMO but I think this is a waste of time.

If you are doing this for the reasons Mark has suggested, then you can limit potential damage by giving your Teachers the absolute bare minimum permissions in SIMS that they require (good security practise anyway).