CAS and DMZ network topology
Rickard Oberg
rickard.oberg at senselogic.se
Sat Nov 11 10:00:53 EST 2006
Marc-Antoine Garrigue wrote:
> Hi Rickard,
> Could you explain what requirements/limitations of your context leads
> to locate the CAS Server A in the internal netword instead of the DMZ?
Very simple: there is NO way that security-minded(/paranoid) people
would put their LDAP directory with their authentication information in
a DMZ. Since the authentication server needs access to the LDAP
directory for login, the whole scheme breaks down.
Hasn't this been encountered before? How do other people solve this?
> About deploying a ticket manager service in the DMZ, with ticket
> replication between A and C, this could be done using a distributed
> ticket registry (next release).
Alright, sounds good.
But as above, I'm really curious how people reason about this problem
today. This network topology issues seems kind of critical for the whole
idea.
/Rickard
More information about the cas
mailing list