Campus Active Directory - Forest Trust Technical Requirements

Before a Forest Trust can be created between a department's Active Directory forest and Campus Active Directory an audit must be performed by OCIS/DoIT Security. This audit will verify that all security requirements listed below have been configured correctly.

Note:Implementation of the security requirements in the trusting forest are the responsibility of the customer's Active Directory administrators. Reasonable effort must be made by the customer administrators to research the effects of these changes on their environment and to implement them in a way consistent with the customer's change management process.

Click here to view the KB article explaining how to enable LDAPS on AD Domain Controllers

IPsec Policy

IPSec Rules: CADS Forest Trust Traffic

Name Description Mode(Transport or Tunnel IP) IP Filter List Filter Action List Network Type Authentication Method
CADS Forest trust traffic Transport DCs ESP-3DES-SHA1-0-3600 LAN PSK

CADS Domain Controllers

Name Src Address Dest Address Protocol Src Port Dest Port Mirrored
CADSDC-PROD-01 144.92.104.44 My IP Address ANY ANY ANY Y
CADSDC-PROD-02 144.92.74.87 My IP Address ANY ANY ANY Y
CADSDC-PROD-03 144.92.104.17 My IP Address ANY ANY ANY Y
CADSDC-PROD-04 144.92.74.63 My IP Address ANY ANY ANY Y
CADSDC-PROD-05 144.92.104.18 My IP Address ANY ANY ANY Y
CADSDC-PROD-06 144.92.74.69 My IP Address ANY ANY ANY Y

Filter Actions

Name Description Filter Action Behavior Security Method AH ESP Session Key Lifetimes (sessions/seconds) Accept Clear Allow Fallback Use PFS
ESP-3DES-SHA1-0-3600 Require ESP 3DES/SHA1, no inbound clear, no fallback to clear, No PFS Negotiate Security Custom N/A 3DES/SHA1 0 / 3600 N N N

Recomendations

The following configurations are not required, but are recommended for all trusting forests

Glossary

References