Re: DNS Subnet question with DMZ

• From: "Jay" <jschwarzkopf@xxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 10 Aug 2001 16:56:21 -0400

Damn, you're good.

----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, August 10, 2001 4:24 PM
Subject: [isalist] Re: DNS Subnet question with DMZ


> http://www.ISAserver.org
>
>
> It wouldn't; I was reading the email you hadn't written yet ... :-\
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
> ----- Original Message -----
> From: "Jay" <jschwarzkopf@xxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, August 10, 2001 12:02 PM
> Subject: [isalist] Re: DNS Subnet question with DMZ
>
>
> http://www.ISAserver.org
>
>
> How would SMTP relay help with OWA?
>
> ----- Original Message -----
> From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, August 10, 2001 2:45 PM
> Subject: [isalist] Re: DNS Subnet question with DMZ
>
>
> > http://www.ISAserver.org
> >
> >
> > True; or as Tom suggested, use an SMTP relay in the DMZ.
> >
> > Jim Harrison
> > MCP(2K), A+, Network+, PCG
> >
> > ----- Original Message -----
> > From: "Jay" <jschwarzkopf@xxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Friday, August 10, 2001 11:30 AM
> > Subject: [isalist] Re: DNS Subnet question with DMZ
> >
> >
> > http://www.ISAserver.org
> >
> >
> > I understand.
> >
> > Then, even with back-to-back firewalls, it would be wise to put the OWA
> > Front End server on the internal network, and publish it on the internal
> > firewall.
> >
> >
> > ----- Original Message -----
> > From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Friday, August 10, 2001 1:53 PM
> > Subject: [isalist] Re: DNS Subnet question with DMZ
> >
> >
> > > http://www.ISAserver.org
> > >
> > >
> > > There is always a choice.  If you choose to place E2K in the DMZ, then
> you
> > > also choose to open the DMZ to the LAT for AD communications.  It's
all
> > > about choices and the risks. you're willing to accept.
> > >
> > > Jim Harrison
> > > MCP(2K), A+, Network+, PCG
> > >
> > >
> > > ----- Original Message -----
> > > From: "Jay" <jschwarzkopf@xxxxxxxxxx>
> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > Sent: Friday, August 10, 2001 10:05
> > > Subject: [isalist] Re: DNS Subnet question with DMZ
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Of course, with E2k you have no choice.
> > >
> > > ----- Original Message -----
> > > From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > Sent: Friday, August 10, 2001 12:03 PM
> > > Subject: [isalist] Re: DNS Subnet question with DMZ
> > >
> > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > That server would provide an open path to the LAT through the VPN
> > > > connection.
> > > > All deployment is based on risk assessment.  Only you can determine
if
> > the
> > > > dangers of a given setup are outweighed by the benefits.  Generally,
> > only
> > > > those protocols that need to pass between DMZ and LAT should be
> allowed.
> > > > Allowing AD traffic to the DMZ is dangerous, regardless of how you
> allow
> > > it.
> > > >
> > > > Jim Harrison
> > > > MCP(2K), A+, Network+, PCG
> > > >
> > > > ----- Original Message -----
> > > > From: "Jay" <jschwarzkopf@xxxxxxxxxx>
> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > > Sent: Friday, August 10, 2001 7:49 AM
> > > > Subject: [isalist] Re: DNS Subnet question with DMZ
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > Okay.
> > > >
> > > > What about server in perimeter network of back-to-back (using
> different
> > > > firewalls), with VPN connection into internal ISA firewall? Is that
> > > anymore
> > > > a security concern than published ports?
> > > >
> > > >
> > > > ----- Original Message -----
> > > >   From: Jim Harrison
> > > >   To: [ISAserver.org Discussion List]
> > > >   Sent: Friday, August 10, 2001 10:27 AM
> > > >   Subject: [isalist] Re: DNS Subnet question with DMZ
> > > >
> > > >
> > > >   http://www.ISAserver.org
> > > >
> > > >
> > > >   A DMZ provides isolation of your trusted network from your
> > > > "publicly-available" servers"  Some like to think of the DMZ as the
> > > > "sacrificial lamb", and to a degree it is.  The general idea is that
> if
> > > > someone wants to trash something, let it be in the DMZ.  By the same
> > > token,
> > > > if someone were to trash your DMZ server, they still don't have
direct
> > > > access to the trusted LAN.
> > > >
> > > >   Jim Harrison
> > > >   MCP(2K), A+, Network+, PCG
> > > >
> > > >     ----- Original Message -----
> > > >     From: Jay
> > > >     To: [ISAserver.org Discussion List]
> > > >     Sent: Friday, August 10, 2001 7:18 AM
> > > >     Subject: [isalist] Re: DNS Subnet question with DMZ
> > > >
> > > >
> > > >     http://www.ISAserver.org
> > > >
> > > >
> > > >     Is there a benefit of putting E2k (or any server) on DMZ, over
> just
> > > > publishing it from internal net?
> > > >
> > > >
> > > >
> > > >       ----- Original Message -----
> > > >       From: Jim Harrison
> > > >       To: [ISAserver.org Discussion List]
> > > >       Sent: Friday, August 10, 2001 9:38 AM
> > > >       Subject: [isalist] Re: DNS Subnet question with DMZ
> > > >
> > > >
> > > >       http://www.ISAserver.org
> > > >
> > > >
> > > >       Unfortunately, the best you can do for the DMZ server is a
> single
> > IP
> > > > with the set you're given.
> > > >       Since the DMZ in a three--homed ISA is a subnet of the
external
> > > > subnet, you have to use a /30 mask for the DMZ, giving you only 2
> usable
> > > > IPs; one for the ISA DMZ NIC and one left for a server.
> > > >       Is the Exchange server an E2K variation?  If so, placing it in
> the
> > > DMZ
> > > > is more trouble than it's worth, given the issues related to AD
> > membership
> > > > across a firewall.
> > > >
> > > >       Jim Harrison
> > > >       MCP(2K), A+, Network+, PCG
> > > >
> > > >         ----- Original Message -----
> > > >         From: cismic
> > > >         To: [ISAserver.org Discussion List]
> > > >         Sent: Thursday, August 09, 2001 9:51 PM
> > > >         Subject: [isalist] DNS Subnet question with DMZ
> > > >
> > > >
> > > >         http://www.ISAserver.org
> > > >
> > > >
> > > >         I also posted this to the message boards. Sorry for the
> > > duplication.
> > > > Just thought I'd see if anyone was online tonight with some ideas.
> > > >
> > > >         J
> > > >
> > > >
> > > >
> > > >         Hello,
> > > >
> > > >
> > > >
> > > >         I'm using 10.0.0.1 for illustration:
> > > >
> > > >
> > > >
> > > >         I have 10.0.0.1/29 (8 IPs, 32 per C)
> > > >
> > > >         as my ip address. IP'S .1 and .8 are being used by my ISP.
.7
> > is
> > > > assigned to my CISCO 776M ISDN router.
> > > >
> > > >
> > > >
> > > >         That leaves me with 5 ip address to use.
> > > >
> > > >         .2, .3, .4, .5, .6
> > > >
> > > >         EXT NIC 1. = .2
> > > >
> > > >         DMZ NIC 1. = .3
> > > >
> > > >         DMZ servers would be .4, .5, .6
> > > >
> > > >
> > > >
> > > >         If I split those into something like the following
> > > >
> > > >         .4 sql
> > > >
> > > >         .5 web
> > > >
> > > >         .6 DNS
> > > >
> > > >         I run out of address and won't be able to place my exchange
> > server
> > > > in the dmz.
> > > >
> > > >
> > > >
> > > >         and Internal NIC private could be 10.0.1.0
> > > >
> > > >
> > > >
> > > >         Is there another method that will work just as well so I can
> > > publish
> > > > my Exchange server?
> > > >
> > > >
> > > >
> > > >         ------------------------------------------------------
> > > >         You are currently subscribed to this ISAserver.org
Discussion
> > List
> > > > as: jim@xxxxxxxxxxxx
> > > >         To unsubscribe send a blank email to
> > > > $subst('Email.Unsub')
> > > >       ------------------------------------------------------
> > > >       You are currently subscribed to this ISAserver.org Discussion
> List
> > > as:
> > > > jschwarzkopf@xxxxxxxxxx
> > > >       To unsubscribe send a blank email to
> > > > $subst('Email.Unsub')
> > > >     ------------------------------------------------------
> > > >     You are currently subscribed to this ISAserver.org Discussion
List
> > as:
> > > > jim@xxxxxxxxxxxx
> > > >     To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> > > >   ------------------------------------------------------
> > > >   You are currently subscribed to this ISAserver.org Discussion List
> as:
> > > > jschwarzkopf@xxxxxxxxxx
> > > >   To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion List
as:
> > > > jim@xxxxxxxxxxxx
> > > > To unsubscribe send a blank email to
> $subst('Email.Unsub')
> > > >
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion List
as:
> > > jschwarzkopf@xxxxxxxxxx
> > > > To unsubscribe send a blank email to
> $subst('Email.Unsub')
> > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List as:
> > > jim@xxxxxxxxxxxx
> > > To unsubscribe send a blank email to
$subst('Email.Unsub')
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List as:
> > jschwarzkopf@xxxxxxxxxx
> > > To unsubscribe send a blank email to
$subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> jschwarzkopf@xxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jschwarzkopf@xxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ
• » Re: DNS Subnet question with DMZ

1. Home
2. isalist
3. Archive
4. 08-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---