Hi Nathan, Your network is this with my comments: Internet Router (Public IP) | | PIX FIREWALL ( NOTE 1) | | Web server ( NOTE 2 ) | | PIX FIREWALL *internal Network* (NOTE 3) | | ISA SERVER (NOTE 4) | | SQL SERVER (NOTE 5) NOTE 1: don't need to show port 1433 or 2433 NOTE 2: A. Setup a local user on this box that will be assigned to your web site. You or the security team control the passwords to this account then when adding to your web site don't allow IIS to control PW NOTE 3: Have PIX publish just the port you need for SQL and that publishes to the ISA Server machine. NOTE 4: PUBLISH the SQL machine from within ISA Server NOTE 5: Create another local account that matches the same account that you created on the WEB SERVER (NOTE 2). Assign this local account to your Db that the web application is using. You could also go as far as creating read only views and update views and not allow direct updating to tables directly or via stored procedures. I do this and it works well. this in essence creates the trusted relationship. It is only 1 user and password to manage this way. So, the Maintenance is minimal. And if documented then you will Know that this account is not in the domain's). There are some minor issues if you run .NET where you Can fix the machine.config to utilize your account You created and also have that pass trusted Credentials to the back end SQL box. Thank you, Joseph -----Original Message----- From: Nathan Casey [mailto:NCASEY@xxxxxxxxxxxxxxxxx] Sent: Thursday, July 01, 2004 4:23 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Server publishing http://www.ISAserver.org One of the main confusions for the whole server publishing thing for me is the fact that our external webservers are in a PIX DMZ with their own Extranet Active Directory. The is no and never will be a trust between our production domain and our DMZ domain. The ISA server is on the edge of the production domain (PIX DMZ). How can I allow access from externals users via the internet to the internal SQL server apps with either SQL authentication or Domain authentication? Your advise is definitely appreciated. Thank you Nathan >>> josephk@xxxxxxxxx 7/1/2004 3:57:05 PM >>> http://www.ISAserver.org HI There, SQL has merge replication that might work for your application. Besides when designing an application as a developer you need to 1. Make sure before the submit button is selected that all Possible values are edited from the client side to save the round trip To the server 2. Make sure that if your Db field size is 20 your not trying to stuff 30 into it. You need this for every field, editing that is. 3. Make sure that all entries are using url encoding 4. If anyone is still using dynamic sql make sure that you only Allow your SQL statement to be sent to the server. I also see that your still on the question of publishing your sql box. Exactly what is it that your not getting? If you publish the way That I sent the last time, you won't have any issues and your Security guy just might buy you some flowers. Thank you, Joseph -----Original Message----- From: Nathan Casey [mailto:NCASEY@xxxxxxxxxxxxxxxxx] Sent: Thursday, July 01, 2004 3:13 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Server publishing http://www.ISAserver.org Very good suggestion, but the users that access the internet application make changes that would need to be replicated back to the internal SQL server. The one-way transactional replication scenario would not work for this app. >>> thor@xxxxxxxxxxxxxxx 7/1/2004 12:45:24 PM >>> http://www.ISAserver.org To add to the previous (and excellent) points of Shawn and The Good Doctor, I would *highly* recommend considering populating the DMZ with it's own SQL server (with proper licensing, or course.) Any leveraging of SQL injection-type attacks would afford an attacker the luxury of executing code on a box within your internal network. Further, from an authentication standpoint, I would imagine that your internal SQL box (assuming MS sql) would have to be configured to accept Mixed-mode authentication (with the ADODB connection strings containing user credentials) -- a far weaker authentication model than NT-based authentication -- that or (heaven forbid) you've got shared domain membership between the DMZ web server's IUSR account for the internal SQL box to accommodate authentication of the web application's requests for data. In either case, a compromise of the web server would give an attacker credentials that could be used on your internal network, as well as a direct path (1433) into your network. A DMZ-based SQL box could be locked down, and the internal box could utilize one-way transactional replication to the DMZ. In this model, there is no static port open to the internal network, there are no shared credentials (the internal box's replication push would use creds on the DMZ box and not the other way around) and any compromise would leave the attacker in the DMZ. Further, the available data on the DMZ box would be limited to that required by the application. My bet is that your internal SQL box has data above and beyond that required by the web app. Just a thought. t ----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, July 01, 2004 12:24 PM Subject: [isalist] RE: Server publishing http://www.ISAserver.org Hi Shawn, Good point. With the SQL publishing scenario, the ISA firewall isn't providing any security (just like the pix). However, if there are services behind the ISA firewall that are exposed to app layer filtering, I'd keep the dual homed ISA box where it is. Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Quillman Shawn (RBNA/CSA1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx] Sent: Thursday, July 01, 2004 2:11 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Server publishing http://www.ISAserver.org Yes. The only time you can have 1 adapter is when ISA is in cache-only mode in which situation you can only web publish. The config you show doesn't really make sense, the ISA would be redundant. You would just publish the SQL server via the internal PIX. What is it you're trying to accomplish with the ISA? -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CSA1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-6969 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: nathan [mailto:ncasey@xxxxxxxxxxxxxxxxx] Sent: Thursday, July 01, 2004 3:40 PM To: [ISAserver.org Discussion List] Subject: [isalist] Server publishing http://www.ISAserver.org With server publishing, if I publish a SQL server that sits on the internal network, does my ISA server need 2 adapters? The SQL server is acting as a back-end database server for a Web site which is hosted on web server in a PIX DMZ. If I do need 2 adapters for server publishing can they both reside in PIX DMZ's? My network security guy wants all incoming traffic to go trough the PIX firewall Internet Router (Public IP) | | PIX FIREWALL | | Web server | | PIX FIREWALL *internal Network* | | ISA SERVER | | SQL SERVER ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ncasey@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: josephk@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ncasey@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: josephk@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist