CAS and DMZ network topology

Scott Battaglia scott.battaglia at gmail.com
Sat Nov 11 17:06:05 EST 2006 

Why is server B in the DMZ zone but server A is not if people on the
internal network need to access B?  What happens in the scenario where
people on the non-internal network need to access B?  They wouldn't be able
to log in as A is internal. So if people on the outside can't actually
access B anyway (since its secured by CAS which is on the internal network),
why isn't B also on the internal network?

-Scott

On 11/11/06, Rickard Oberg <rickard.oberg at senselogic.se> wrote:
>
> Hi!
>
> We are considering using CAS as our main authentication strategy, but
> I'm not sure it is able to handle our network topology.
>
> Basically, we have two webservers, one of which (A) is handling CAS
> login and one of which (B) hosts a service that we want users to be able
> to log on to. Users connect from an internal network, and the CAS login
> server A is also located on this network, and can use the internal LDAP
> directory for authentication requests. However, the second webserver B
> providing the actual service is located on a DMZ which has no access to
> the internal network.
>
> Scenario:
> * Client uses browser to access B
> * Client is not logged in and is redirected to A
> * Client logs in. A verifies credentials with internal LDAP directory
> * Client is redirected back to B
> * B needs to validate ticket with A
>
> And in this last step comes the problem: since B is on the DMZ with no
> access to the internal network where A resides, is this scenario
> possible? It would seem that B needs to have a way to validate the
> ticket without contacting A for this to work. It seems to me that one
> would have to add a third server C, a ticket manager, for this to work.
> C would be located on the DMZ so that both A and B can access it. After
> authentication on A it would send the ticket to C, and when the user is
> redirected to B it will validate the ticket against C instead of A.
>
> Any ideas? Has anyone come across this before? Is it fixable at all??
>
> /Rickard
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20061111/b0cb8cf3/attachment.html

More information about the cas mailing list