My internal corp network will be Corp.COM. The 3rd party network will be 3rd.COM. Currently 3rd.COM has a Oneway External Trust pointing inward to Corp.com. The reason for this is 3rd.COM hosts our external facing systems. Corp.COM Domain and Forest levels are WIndows 2003. 3rd.com Domain level is Windows 2000 Mixed and the Forest is Windows 2000. 3rd.COM has some servers that are currently joined to the 3rd.com domain. 3rd.com also has a DMZ created to host our external face apps. 3rd.coms DMZ has various firewall holes poked from the DMZ to the internal 3rd.com network.
We are looking to secure up the connections. From what I have been reading we are probably going to turn 3rd.com DMZ into another forest. Management will deal with the overhead of another forest to manage rather than potentially expose data from 3rd.com internal network. What we would like to do it take corp.com existing DCs, 3rd.com DCs, and soon to be 3rd-DMZ.com DCs and create a IPsec policy for communication between them. Few things I am curious about.
We do NOT have a CA and PSK is out of the question, so if we upgrade 3rd.com domain/forest to windows 2003, can we create a one way trust that is protected by IPSec with a windows 2003 DCs using Kerberos? I have seen mixed reviews. I am curious if we upgrade 3rd.coms functional levels and change the one way trust from external to forest can our trust be encrypted. This would be particually useful for the communication between the soon to be DMZ forest ( 3rd-dmz.com) and 3rd.com. Every document I read always stresses DC to DC IPsec communication between trusts but without a Cert Authority, I am hoping for another available solution.
Thank you for any insight.