Auditing systems that are inside a DMZ

If you have Windows or UNIX/Linux systems that are deployed inside of a networking DMZ, you can audit those systems without having to set up a separate audit installation.

Organizations often use a DMZ to host a group of systems in a section of the corporate network in between the intranet and the public internet access. Firewall settings define the perimeter of the DMZ; the firewall helps limit access to internal networks from the outside network.

In order to audit systems inside of a DMZ, the following must be true for your deployment:

  • All the Windows or UNIX/Linux systems in the DMZ are joined to the DMZ domain (for example, acme.dmz).
  • You've already set up the audit installation in your main domain for your organization (for example, acme.corp) and you're auditing systems in that domain.
  • The SQL Server that hosts the audit databases is also joined to the main domain.
  • There's either no Active Directory trust between the main and DMZ domains or there's a one-way trust where the DMZ domain trusts the main domain (for example, acme.dmz trusts acme.corp).
  • All the audit administrator and auditor accounts belong to the main domain.

Before you go to set up auditing on DMZ systems, be sure to do the following:

  • Deploy at least one audit collector on a system that's joined to the DMZ domain. This is because an audited system can only look for audit collectors in its own forest.
  • Configure the SQL Server to use mixed-mode authentication. This is because a collector in a DMZ cannot authenticate with SQL Server in the main domain using Windows authentication.
  • Configure the necessary firewall exceptions for the SQL Server deployed in the main domain so that the audit collector in the DMZ can connect to the SQL Server. This includes the firewall exceptions for the SQL Server listener port as well as other ports, such as UDP 1434 (which is used by the SQL browser service).

To audit systems in a DMZ:

  1. Prepare the audit store:
    1. Set up an audit store that contains the audited data for the systems in the DMZ. You can either create a new audit store or modify an existing one so that the audit store scope includes the sites or subnets of the systems in the DMZ.
    2. Add a new audit store database to the DMZ audit store and mark the database as active.

      For more information, see Creating the first audit store.

  2. Prepare the SQL authentication account:
    1. In Audit Manager, right-click the audit store database that you just created and select Properties.
    2. In the Advanced tab, under the Allowed incoming collectors, click Add.
    3. For the authentication, select SQL Server authentication. Select an existing account or click the list to create a new SQL Login account.

      This SQL Login account is what the collectors in the DMZ domain will use to authentication with the SQL Server in the main domain. As a best practice, it's recommended to create a dedicated incoming collector account for all collectors in the DMZ.

  3. Publish the audit installation information to the DMZ domain:

    • If there's a one-way trust between the DMZ and main domains:

      1. In Audit Manager, right click the installation name and click Properties.
      2. In the Publication tab, click Add.
      3. Select an OU or container in the DMZ domain to which you'll publish the audit installation information. Click OK to continue, and click OK again to close the dialog box and publish the audit installation information to the DMZ.

        For more information, see Publishing installation information.

    • If there's no trust between the DMZ and main domains:

      1. In Audit Manager, right-click the installation name and click Properties.
      2. In the Publication tab, click Export to export the audit installation information to an LDIF file.
      3. Provide the LDIF file to the Active Directory administrator of the DMZ domain and request that they manually import the file into an OU or container in the DMZ domain. They can import the LDIF file using the LDIFDE.exe utility.

        For more information, see Exporting installation information.

  1. Install a collector on at least one Windows system in the DMZ: 
    1. Run the Collector Configuration wizard, and select the audit installation and specify the port number.
    2. In the Authentication type screen, select SQL Server authentication and enter the credentials for the SQL authentication account that you created earlier.
    3. Click Test Connection to ensure that the credentials work and the SQL Server is reachable.
    4. Finish the rest of the wizard. If there are any warnings when validating the permissions, you can safely ignore them.

      If you login to the collector computer as a user from your DMZ domain, that user will most certainly not have the permissions to connect to the audit installation and, as a result, the Collector Configuration wizard (which runs in context of the logged-in user) may fail to validate certain permissions and show warning messages instead.

      For details about configuring a collector, see Installing the audit collectors.

  2. Install and configure the agent on the systems in the DMZ.

    For details, see Installing the Centrify Agent for Windows.