MSMQ and Active Directory Domains

  • Thread starter Thread starter D Dabour
  • Start date Start date
D

D Dabour

We are hosting a customer that is using MSMQ (not sure
but probably MSMQ 2.0 - I can confirm if needed). In
addition to the primary hosting area for the customer
(which is heavily locked down), the customer has another
co-location area in our data center. The customer has a
requirement that MSMQ needs to communicate between the
two "zones." Needless to say the zones are separated by
firewalls and are not part of the same Active Directory
domain.

Question: Can MSMQ work in this environment? Assume MSMQ
is in domain mode and not workgroup. I don't believe
workgroup mode can work across firewalls. Customer claims
the only way this can work is to extend the production
Active Directory domain to both zones. True? If yes, then
can it be a domain in another forest with a trust? Or
does it have to be the same forest or same domain?

Thanks in advance,

Dave Dabour
(e-mail address removed)
 
We run msmq between servers that are in different domains
in different forests.
We have tcp port 1801 open on the firewalls between both
msmq servers, bidirectionally (either end can initiate the
transaction).
All servers are DCs. Havent worked out the MSMQ 'pointer'
issue yet.
 
Benny,

Thanks for the reply. the firewall is not a NAT firewall.
Its a traditional firewall with different subnets. Will
that help our situation?

Also would it be possible to have two domains in
different forests (separated via firewall with the needed
MSMQ firewall ports opened bidirectionally) work with
MSMQ? If so would a trust be required since they are
different forests?

Thanks again in advance. I'm not finding too much
information available about this either on TechNet or
elsewhere!

Dabour
 
Dear Dabour,

Thank you for your reply.

While sending the transactional message through firewall. The first message
will get through the fire wall and will reach the destination. but will not
send another messages. The other message will not be sent and will be in
out going queues.

This is because the firewall replaces the source IP address of the packet
with it's own IP address. Thus the first message reaches the destination.
The destination will create a ack message and will send to the source IP
address of the
message received. This IP address is from the Firewall and not from the
actual sender. This ack message will reach to firewall and firewall doesn't
know what to do with it and will discard.

To resolve the issue, please follow the instructions in the following
article to configure firewall for MSMQ access:

183293 HOWTO: Configure a Firewall for MSMQ Access
http://support.microsoft.com/?id=183293


Hope it is helpful.

Thanks and have a good day!


Regards,

Benny Fu
Microsoft Online Partner Support
Microsoft Corporation
Get Secure! – www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Content-Class: urn:content-classes:message
| From: "D Dabour" <[email protected]>
| Sender: "D Dabour" <[email protected]>
| References: <[email protected]>
<eoO#[email protected]>
| Subject: RE: MSMQ and Active Directory Domains
| Date: Thu, 24 Jul 2003 06:32:16 -0700
| Lines: 127
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcNR5/+G8ffSJUTcSsGflqzSLKYNkQ==
| Newsgroups: microsoft.public.win2000.active_directory
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:41004
| NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Benny,
|
| Thanks for the reply. the firewall is not a NAT firewall.
| Its a traditional firewall with different subnets. Will
| that help our situation?
|
| Also would it be possible to have two domains in
| different forests (separated via firewall with the needed
| MSMQ firewall ports opened bidirectionally) work with
| MSMQ? If so would a trust be required since they are
| different forests?
|
| Thanks again in advance. I'm not finding too much
| information available about this either on TechNet or
| elsewhere!
|
| Dabour
|
| >-----Original Message-----
| >Dear Customer,
| >
| >Thank you for your posting.
| >
| >A Message Queuing enterprise cannot fully extend over a
| NAT firewall.
| >Because of the nature of the address translation of the
| firewall, full
| >communication to and from the Primary Enterprise
| Controller (PEC) may not
| >be possible.
| >
| >There are three basic ways to approach the setup of the
| Message Queuing
| >enterprise or enterprises for this environment:
| >
| >- Install all of the independent clients on a Message
| Queuing enterprise
| >inside the firewall, and then move the clients outside
| the firewall. In
| >this scenario, you must accept that the clients may not
| be able to
| >communicate fully with their site controller.
| >
| >- Set up two Message Queuing enterprises in which one
| enterprise is inside
| >the firewall and one enterprise is outside the firewall.
| This is the
| >recommended Message Queuing enterprise structure when
| you use MSMQ 1.0.
| >
| >- Set up computers that are running Microsoft Windows
| 2000 (Message Queuing
| >2.0) in workgroup mode, and then use those computers
| outside the firewall
| >and, if you want to, inside the firewall.
| >
| >Hope it clears your concerns.
| >
| >Thanks and have a good day!
| >
| >Regards,
| >
| >Benny Fu
| >Microsoft Online Partner Support
| >Microsoft Corporation
| >Get Secure! - www.microsoft.com/security
| >
| >This posting is provided "AS IS" with no warranties, and
| confers no rights.
| >
| >--------------------
| >| Content-Class: urn:content-classes:message
| >| From: "D Dabour" <[email protected]>
| >| Sender: "D Dabour" <[email protected]>
| >| Subject: MSMQ and Active Directory Domains
| >| Date: Wed, 23 Jul 2003 21:24:27 -0700
| >| Lines: 24
| >| Message-ID: <[email protected]>
| >| MIME-Version: 1.0
| >| Content-Type: text/plain;
| >| charset="iso-8859-1"
| >| Content-Transfer-Encoding: 7bit
| >| X-Newsreader: Microsoft CDO for Windows 2000
| >| Thread-Index: AcNRm3hLnNaYHLhESrCZY7/Gkdptnw==
| >| X-MimeOLE: Produced By Microsoft MimeOLE
| V5.50.4910.0300
| >| Newsgroups: microsoft.public.win2000.active_directory
| >| Path: cpmsftngxa06.phx.gbl
| >| Xref: cpmsftngxa06.phx.gbl
| microsoft.public.win2000.active_directory:40954
| >| NNTP-Posting-Host: TK2MSFTNGXA13 10.40.1.165
| >| X-Tomcat-NG: microsoft.public.win2000.active_directory
| >|
| >| We are hosting a customer that is using MSMQ (not sure
| >| but probably MSMQ 2.0 - I can confirm if needed). In
| >| addition to the primary hosting area for the customer
| >| (which is heavily locked down), the customer has
| another
| >| co-location area in our data center. The customer has
| a
| >| requirement that MSMQ needs to communicate between the
| >| two "zones." Needless to say the zones are separated
| by
| >| firewalls and are not part of the same Active Directory
| >| domain.
| >|
| >| Question: Can MSMQ work in this environment? Assume
| MSMQ
| >| is in domain mode and not workgroup. I don't believe
| >| workgroup mode can work across firewalls. Customer
| claims
| >| the only way this can work is to extend the production
| >| Active Directory domain to both zones. True? If yes,
| then
| >| can it be a domain in another forest with a trust? Or
| >| does it have to be the same forest or same domain?
| >|
| >| Thanks in advance,
| >|
| >| Dave Dabour
| >| (e-mail address removed)
| >|
| >|
| >|
| >
| >.
| >
|
 
Dear Dabour,

Thank you for your reply.

Please create trust relationship between the two domains.

327220 INFO: Cross Domain Restriction for MSMQ
http://support.microsoft.com/?id=327220

Thanks and have a good day!

Regards,

Benny Fu
Microsoft Online Partner Support
Microsoft Corporation
Get Secure! – www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Content-Class: urn:content-classes:message
| From: "D Dabour" <[email protected]>
| Sender: "D Dabour" <[email protected]>
| References: <[email protected]>
<eoO#[email protected]>
<[email protected]>
<Qifo#[email protected]>
| Subject: RE: MSMQ and Active Directory Domains
| Date: Thu, 24 Jul 2003 08:55:15 -0700
| Lines: 243
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcNR+/kPuXrrpr9SRTikbQrYctgzpg==
| Newsgroups: microsoft.public.win2000.active_directory
| Path: cpmsftngxa06.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:41034
| NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Benny,
|
| Thank you. This information is very helpful.
|
| I will config the firewall per the KB article.
|
| We have an Active Directory domain setup on one side of
| the firewall. We do not on the other as we only have
| member servers. Do we need to have the same Ad domain on
| the other side of the firewall? Or is it OK if the other
| side is NOT in the same domain?
|
| Thanks!
|
| (e-mail address removed)
| >-----Original Message-----
| >Dear Dabour,
| >
| >Thank you for your reply.
| >
| >While sending the transactional message through
| firewall. The first message
| >will get through the fire wall and will reach the
| destination. but will not
| >send another messages. The other message will not be
| sent and will be in
| >out going queues.
| >
| >This is because the firewall replaces the source IP
| address of the packet
| >with it's own IP address. Thus the first message reaches
| the destination.
| >The destination will create a ack message and will send
| to the source IP
| >address of the
| >message received. This IP address is from the Firewall
| and not from the
| >actual sender. This ack message will reach to firewall
| and firewall doesn't
| >know what to do with it and will discard.
| >
| >To resolve the issue, please follow the instructions in
| the following
| >article to configure firewall for MSMQ access:
| >
| >183293 HOWTO: Configure a Firewall for MSMQ Access
| >http://support.microsoft.com/?id=183293
| >
| >
| >Hope it is helpful.
| >
| >Thanks and have a good day!
| >
| >
| >Regards,
| >
| >Benny Fu
| >Microsoft Online Partner Support
| >Microsoft Corporation
| >Get Secure! - www.microsoft.com/security
| >
| >This posting is provided "AS IS" with no warranties, and
| confers no rights.
| >
| >--------------------
| >| Content-Class: urn:content-classes:message
| >| From: "D Dabour" <[email protected]>
| >| Sender: "D Dabour" <[email protected]>
| >| References: <[email protected]>
| ><eoO#[email protected]>
| >| Subject: RE: MSMQ and Active Directory Domains
| >| Date: Thu, 24 Jul 2003 06:32:16 -0700
| >| Lines: 127
| >| Message-ID: <[email protected]>
| >| MIME-Version: 1.0
| >| Content-Type: text/plain;
| >| charset="iso-8859-1"
| >| Content-Transfer-Encoding: 7bit
| >| X-Newsreader: Microsoft CDO for Windows 2000
| >| X-MimeOLE: Produced By Microsoft MimeOLE
| V5.50.4910.0300
| >| Thread-Index: AcNR5/+G8ffSJUTcSsGflqzSLKYNkQ==
| >| Newsgroups: microsoft.public.win2000.active_directory
| >| Path: cpmsftngxa06.phx.gbl
| >| Xref: cpmsftngxa06.phx.gbl
| microsoft.public.win2000.active_directory:41004
| >| NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
| >| X-Tomcat-NG: microsoft.public.win2000.active_directory
| >|
| >| Benny,
| >|
| >| Thanks for the reply. the firewall is not a NAT
| firewall.
| >| Its a traditional firewall with different subnets.
| Will
| >| that help our situation?
| >|
| >| Also would it be possible to have two domains in
| >| different forests (separated via firewall with the
| needed
| >| MSMQ firewall ports opened bidirectionally) work with
| >| MSMQ? If so would a trust be required since they are
| >| different forests?
| >|
| >| Thanks again in advance. I'm not finding too much
| >| information available about this either on TechNet or
| >| elsewhere!
| >|
| >| Dabour
| >|
| >| >-----Original Message-----
| >| >Dear Customer,
| >| >
| >| >Thank you for your posting.
| >| >
| >| >A Message Queuing enterprise cannot fully extend over
| a
| >| NAT firewall.
| >| >Because of the nature of the address translation of
| the
| >| firewall, full
| >| >communication to and from the Primary Enterprise
| >| Controller (PEC) may not
| >| >be possible.
| >| >
| >| >There are three basic ways to approach the setup of
| the
| >| Message Queuing
| >| >enterprise or enterprises for this environment:
| >| >
| >| >- Install all of the independent clients on a Message
| >| Queuing enterprise
| >| >inside the firewall, and then move the clients
| outside
| >| the firewall. In
| >| >this scenario, you must accept that the clients may
| not
| >| be able to
| >| >communicate fully with their site controller.
| >| >
| >| >- Set up two Message Queuing enterprises in which one
| >| enterprise is inside
| >| >the firewall and one enterprise is outside the
| firewall.
| >| This is the
| >| >recommended Message Queuing enterprise structure when
| >| you use MSMQ 1.0.
| >| >
| >| >- Set up computers that are running Microsoft Windows
| >| 2000 (Message Queuing
| >| >2.0) in workgroup mode, and then use those computers
| >| outside the firewall
| >| >and, if you want to, inside the firewall.
| >| >
| >| >Hope it clears your concerns.
| >| >
| >| >Thanks and have a good day!
| >| >
| >| >Regards,
| >| >
| >| >Benny Fu
| >| >Microsoft Online Partner Support
| >| >Microsoft Corporation
| >| >Get Secure! - www.microsoft.com/security
| >| >
| >| >This posting is provided "AS IS" with no warranties,
| and
| >| confers no rights.
| >| >
| >| >--------------------
| >| >| Content-Class: urn:content-classes:message
| >| >| From: "D Dabour" <[email protected]>
| >| >| Sender: "D Dabour" <[email protected]>
| >| >| Subject: MSMQ and Active Directory Domains
| >| >| Date: Wed, 23 Jul 2003 21:24:27 -0700
| >| >| Lines: 24
| >| >| Message-ID: <[email protected]>
| >| >| MIME-Version: 1.0
| >| >| Content-Type: text/plain;
| >| >| charset="iso-8859-1"
| >| >| Content-Transfer-Encoding: 7bit
| >| >| X-Newsreader: Microsoft CDO for Windows 2000
| >| >| Thread-Index: AcNRm3hLnNaYHLhESrCZY7/Gkdptnw==
| >| >| X-MimeOLE: Produced By Microsoft MimeOLE
| >| V5.50.4910.0300
| >| >| Newsgroups:
| microsoft.public.win2000.active_directory
| >| >| Path: cpmsftngxa06.phx.gbl
| >| >| Xref: cpmsftngxa06.phx.gbl
| >| microsoft.public.win2000.active_directory:40954
| >| >| NNTP-Posting-Host: TK2MSFTNGXA13 10.40.1.165
| >| >| X-Tomcat-NG:
| microsoft.public.win2000.active_directory
| >| >|
| >| >| We are hosting a customer that is using MSMQ (not
| sure
| >| >| but probably MSMQ 2.0 - I can confirm if needed).
| In
| >| >| addition to the primary hosting area for the
| customer
| >| >| (which is heavily locked down), the customer has
| >| another
| >| >| co-location area in our data center. The customer
| has
| >| a
| >| >| requirement that MSMQ needs to communicate between
| the
| >| >| two "zones." Needless to say the zones are
| separated
| >| by
| >| >| firewalls and are not part of the same Active
| Directory
| >| >| domain.
| >| >|
| >| >| Question: Can MSMQ work in this environment? Assume
| >| MSMQ
| >| >| is in domain mode and not workgroup. I don't
| believe
| >| >| workgroup mode can work across firewalls. Customer
| >| claims
| >| >| the only way this can work is to extend the
| production
| >| >| Active Directory domain to both zones. True? If
| yes,
| >| then
| >| >| can it be a domain in another forest with a trust?
| Or
| >| >| does it have to be the same forest or same domain?
| >| >|
| >| >| Thanks in advance,
| >| >|
| >| >| Dave Dabour
| >| >| (e-mail address removed)
| >| >|
| >| >|
| >| >|
| >| >
| >| >.
| >| >
| >|
| >
| >.
| >
|
 
Benny,

I don't think that KB article is publically available. I
tried your link as well as the Premier web site. Can you
please double check or please email the contents to
(e-mail address removed)?

Thanks in advance,

Dave
 
Back
Top