RE: Server publishing

  • From: "josephk" <josephk@xxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 1 Jul 2004 17:11:11 -0700

Internal in what fashion? Are the users part of an AD setup?
Are they using the same Db? 

-----Original Message-----
From: Nathan Casey [mailto:NCASEY@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, July 01, 2004 5:09 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Server publishing


http://www.ISAserver.org

What if I only want members of an internal domain groupt to access the
site & data?

>>> josephk@xxxxxxxxx 7/1/2004 4:37:26 PM >>>
http://www.ISAserver.org 

Hi Nathan,
Your network is this with my comments:

Internet Router
   (Public IP)
        |
        |
PIX FIREWALL ( NOTE 1)
        |
        |
  Web server ( NOTE 2 )
        |
        |       
PIX FIREWALL
*internal Network*  (NOTE 3)
        |
        |
ISA SERVER  (NOTE 4)
        |
        |
SQL SERVER  (NOTE 5)

NOTE 1: don't need to show port 1433 or 2433
NOTE 2: A. Setup a local user on this box that will be
assigned
           to your web site. You or the security team
             control the passwords to this account then
when
           adding to your web site don't allow IIS to
control PW
NOTE 3: Have PIX publish just the port you need for SQL and that 
        publishes to the ISA Server machine.
NOTE 4: PUBLISH the SQL machine from within ISA Server
NOTE 5: Create another local account that matches the same
        account that you created on the WEB SERVER (NOTE
2).
          Assign this local account to your Db that the web
        application is using. You could also go as far as
        creating read only views and update views and
        not allow direct updating to tables directly or
        via stored procedures.  I do this and it works
well.
        this in essence creates the trusted relationship.

It is only 1 user and password to manage this way.  So,
the
Maintenance is minimal. And if documented then you will
Know that this account is not in the domain's).

There are some minor issues if you run .NET where you
Can fix the machine.config to utilize your account
You created and also have that pass trusted 
Credentials to the back end SQL box.

Thank you,

Joseph

-----Original Message-----
From: Nathan Casey [mailto:NCASEY@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, July 01, 2004 4:23 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Server publishing


http://www.ISAserver.org 

One of the main confusions for the whole server publishing thing for me
is the fact that our external webservers are in a PIX DMZ with their own
Extranet Active Directory.  The is no and never will be a trust between
our production domain and our DMZ domain.  The ISA server is on the edge
of the production domain (PIX DMZ). How can I allow access from
externals users via the internet to the internal SQL server apps with
either SQL authentication or Domain authentication? Your advise is
definitely appreciated. 
Thank you 
Nathan


>>> josephk@xxxxxxxxx 7/1/2004 3:57:05 PM >>>
http://www.ISAserver.org 

HI There,
SQL has merge replication that might work for your
application.
Besides when designing an application as a developer you
need to 

1.  Make sure before the submit button is selected that
all

Possible values are edited from the client side to save the round trip
To the server 2.  Make sure that if your Db field size is 20 your not
trying to stuff 30 into it. You need this for every field, editing that
is. 3.  Make sure that all entries are using url encoding 4.  If anyone
is still using dynamic sql make sure that you only Allow your SQL
statement to be sent to the server.

I also see that your still on the question of publishing
your sql box.
Exactly what is it that your not getting?  If you publish
the way
That I sent the last time, you won't have any issues and
your
Security guy just might buy you some flowers.

Thank you,

Joseph



-----Original Message-----
From: Nathan Casey [mailto:NCASEY@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, July 01, 2004 3:13 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Server publishing


http://www.ISAserver.org 

Very good suggestion, but the users that access the
internet application
make changes that would need to be replicated back to the internal SQL
server. The  one-way transactional replication scenario would not work
for this app. 

>>> thor@xxxxxxxxxxxxxxx 7/1/2004 12:45:24 PM >>>
http://www.ISAserver.org 

To add to the previous (and excellent) points of Shawn and
The Good Doctor,
I would *highly* recommend considering populating the DMZ
with it's own SQL
server (with proper licensing, or course.)

Any leveraging of SQL injection-type attacks would afford
an attacker the
luxury of executing code on a box within your internal
network.  Further,
from an authentication standpoint, I would imagine that
your internal SQL
box (assuming MS sql) would have to be configured to accept Mixed-mode
authentication (with the ADODB connection strings containing user
credentials) -- a far weaker authentication model than
NT-based
authentication -- that or (heaven forbid) you've got shared domain
membership between the DMZ web server's IUSR account for the internal
SQL box to accommodate authentication of the web application's requests
for data.  In either case, a compromise of the web server would give an
attacker credentials that could be used on your internal network, as
well as a direct path (1433) into your network.

A DMZ-based SQL box could be locked down, and the internal
box could utilize
one-way transactional replication to the DMZ.  In this
model, there is no
static port open to the internal network, there are no
shared credentials
(the internal box's replication push would use creds on
the
DMZ box and not
the other way around) and any compromise would leave the attacker in the
DMZ.  Further, the available data on the DMZ box would be limited to
that required by the application.  My bet is that your internal SQL box
has data above and beyond that required by the web app.

Just a thought.

t

----- Original Message ----- 
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]"
<isalist@xxxxxxxxxxxxx>
Sent: Thursday, July 01, 2004 12:24 PM
Subject: [isalist] RE: Server publishing


http://www.ISAserver.org 

Hi Shawn,

Good point. With the SQL publishing scenario, the ISA
firewall isn't
providing any security (just like the pix).

However, if there are services behind the ISA firewall
that
are exposed
to app layer filtering, I'd keep the dual homed ISA box
where it is.

Tom
www.isaserver.org/shinder 
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 
MVP -- ISA Firewalls



-----Original Message-----
From: Quillman Shawn (RBNA/CSA1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx] 
Sent: Thursday, July 01, 2004 2:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Server publishing


http://www.ISAserver.org 


Yes.  The only time you can have 1 adapter is when ISA is
in cache-only
mode in which situation you can only web publish.  The
config you show
doesn't really make sense, the ISA would be redundant.  You would just
publish the SQL server via the internal PIX.  What is it you're trying
to accomplish with the ISA?

-Shawn


-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CSA1
38000 Hills Tech Drive
Farmington Hills, MI 48331
(248) 553-1164 (P) (248) 848-6969 (F) shawn.quillman@xxxxxxxxxxxx 

-----Original Message-----
From: nathan [mailto:ncasey@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, July 01, 2004 3:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Server publishing

http://www.ISAserver.org 

With server publishing, if I publish a SQL server that
sits
on the
internal network, does my ISA server need 2 adapters? The
SQL server is
acting as a back-end database server for a Web site which
is hosted on
web server in a PIX DMZ.
If I do need 2 adapters for server publishing can they both reside in
PIX DMZ's? My network security guy wants all incoming traffic to go
trough the PIX firewall

Internet Router
   (Public IP)
|
|
PIX FIREWALL
|
|
  Web server
|
|
PIX FIREWALL
*internal Network*
|
|
ISA SERVER
|
|
SQL SERVER

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ 
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com 
No.1 Exchange Server Resource Site:
http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ 
Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions:
http://www.ntfaxfaq.com 
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as:
shawn.quillman@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ 
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com 
Leading Network Software Directory:
http://www.serverfiles.com 
No.1 Exchange Server Resource Site:
http://www.msexchange.org 
Windows Security Resource Site:
http://www.windowsecurity.com/ 
Network Security Library: http://www.secinf.net/ 
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com 
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx 
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ 
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com 
Leading Network Software Directory:
http://www.serverfiles.com 
No.1 Exchange Server Resource Site:
http://www.msexchange.org 
Windows Security Resource Site:
http://www.windowsecurity.com/ 
Network Security Library: http://www.secinf.net/ 
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com 
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as:
thor@xxxxxxxxxxxxxxx 
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist





------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ 
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com 
Leading Network Software Directory:
http://www.serverfiles.com 
No.1 Exchange Server Resource Site:
http://www.msexchange.org 
Windows Security Resource Site:
http://www.windowsecurity.com/ 
Network Security Library: http://www.secinf.net/ 
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com 
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: ncasey@xxxxxxxxxxxxxxxxx 
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ 
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com 
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as:
josephk@xxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ 
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com 
Leading Network Software Directory:
http://www.serverfiles.com 
No.1 Exchange Server Resource Site:
http://www.msexchange.org 
Windows Security Resource Site:
http://www.windowsecurity.com/ 
Network Security Library: http://www.secinf.net/ 
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com 
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: ncasey@xxxxxxxxxxxxxxxxx 
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ 
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com 
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as:
josephk@xxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ 
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com 
Leading Network Software Directory:
http://www.serverfiles.com 
No.1 Exchange Server Resource Site:
http://www.msexchange.org 
Windows Security Resource Site:
http://www.windowsecurity.com/ 
Network Security Library: http://www.secinf.net/ 
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com 
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: ncasey@xxxxxxxxxxxxxxxxx 
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist


Other related posts: