Hosting Your Password Reset Portal in a DMZ

We were recently asked if it was possible to install the Passwordstate Password Reset Portal in a DMZ.  A DMZ or Demilitarized zone, also known as a Perimeter Network or Screened Subnet, is usually a physically (or logically) separate network containing an organization’s external-facing services.  This is usually the Internet however large federated institutions such as Universities sometimes utilize the same for common services offered to faculty networks.

Our Password Reset Portal is a Self-Service Portal designed to enable your users to unlock or reset the password for their Active Directory Domain account.  The intent is to allow end-users to easily reset their own Active Directory password without having to contact your Help / Service Desk.  This not only means the service is available 24 hours a day, but you also unburden your IT Support staff from having to handle high volume, repetitive, transactional processes that are ultimately of low value (if the security aspect is handled appropriately).

And yes, you absolutely can install the Password Reset Portal within a DMZ so that it’s accessible to employees that are out of the office.

Verify the User is who they say they are!

This is where we cover the prior statement about the security aspect being handled appropriately. 

Most organizations struggle with the manual processes associated with verification of a user’s identity when they need their password reset!  This isn’t just an unsubstantiated statement.  The Click Studios Senior Management Team have worked in Executive and Senior IT Management positions spanning Global and Australian Enterprise Organizations, in industries such as Aerospace and Defence, Government, Law Enforcement, Mining, Oil & Gas, Banking & Finance, and Systems Integration. 

Rather than utilize manual processes for identity verification, the Password Reset Portal has the option of up to 10 different secure verification policies to choose from.  This means you can identify your users as they start the process of resetting or unlocking their AD Password.  It’s a more secure process than having an employee manually process the request, provides a faster and better user experience and is available 24 hours a day!

Install the Password Reset Portal where you need it!

The Password Reset Portal is installed via a separate installer executable and is included with the Passwordstate core product download.   It can be accessed from the screen Administration->Password Reset Portal Administration within Passwordstate.  Installation is performed through a Setup Wizard and the instructions can be located here,

The Password Reset Portal operates via a separate website and communicates back to the main Passwordstate website via an SSL tunnel.  All traffic carried via the SSL tunnel is encrypted.  All business logic including user authentication, verification of user identity, password resetting and unlocking of accounts etc. is performed by the API (Application Programming Interface) located on your Passwordstate website.

As this blog is about installation of your Password Reset Portal in your DMZ, click next and supply the information relevant to your environment and click Save.  You’ll then be prompted to run PasswordResetPortal.exe on the server you have chosen within your DMZ.  Simply follow the instructions provided by the Installation Wizard to complete the install. 

Open Port Considerations

It’s important to remember that your Website that hosts the Password Reset Portal in the DMZ must have appropriate ports open back to your Passwordstate web server.   

  • For communication from the Password Reset Portal back to you Passwordstate Instance API this is generally Port 443 unless you are using a non-standard port by default for HTTPS.  You must also have a Domain Certificate Authority installed, so that Passwordstate can communicate via LDAPS (LDAP over SSL).
  • Port 636 is required by LDAPS for communication by the Passwordstate User Interface and the API to Active Directory, allowing the reset of Passwords and unlocking of accounts.
  • Ports 135 and 49153 are required for the Passwordstate UI and Windows Service to query Event Logs on Domain Controllers for bad login attempts and account lockouts.

As usual, any suggestions or feedback are welcome via