You need to step back a second and decide on your security model. 1. DHCP in the DMZ is a randomizing thought; ditch it. 2. separate subnets for only two servers is over-designing How many clients (internal and external) are you serving with the web and Exchange servers? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the book! ----- Original Message ----- From: "Brian Harris" <bharris@xxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Saturday, December 29, 2001 16:47 Subject: [isalist] Re: DHCP and web server in a DMZ or should we publish from the private network http://www.ISAserver.org Thanks Jim, Just as a compromise, how does this sound. Publish the web server in the normal fashion on the private side. Place a DHCP server in the DMZ to allow IP addresses to be available to the public...But do the IP's in a DMZ have to be public, I seem to remember some notes on this isaserver.org saying due to packet filtering only available to the DMZ don't use a private subnet??? I can't see the wood for the trees on this one!! I'm now considering setting up two sites in Active Directory and placing the web server in one subnet and the private network in another. So NAT from the external IP to two different internal NICS on two subnets... I have two servers to publish Exchange 2000 and WWW Server. So one in each subnet... Thanks Brian Harris >>> jim@xxxxxxxxxxxx 12/29/01 01:12 AM >>> http://www.ISAserver.org That depends on whether you're more concerned with: 1. the web server - keeping safe and secure is best served with web publishing a private-side host 2. the private LAN - keeping it safe is best served by DMZ hosting the web server. HTH, Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the book! ----- Original Message ----- From: "Brian Harris" <bharris@xxxxxxxxxxxxxx><~!B*+R^&>To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx><~!B*+R^&>Sent: Thursday, December 27, 2001 20:14 Subject: [isalist] DHCP and web server in a DMZ or should we publish from the private network http://www.ISAserver.org Hi, I have a topic that I need some advice on. I have a site (park) that is open to the general public and they will be able to roam around the site using wireless technology to log on to the proposed DMZ and will be issued with an IP via DHCP and then as they move from one area to another they will have different information available from a web server in the DMZ. The wireless side is fine but I'm struggling on whether I need to set the web server up in a DMZ or publish it from the private network. My security experience is smacking me in the face and saying no to the private side publishing....!!! As users will have valid private IP address. Has anyone done any work on this area? Thanks in advance and this site is great!!! Regards Brian Harris ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bharris@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')