Re: DHCP and web server in a DMZ or should we publish from the private network
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 30 Dec 2001 08:02:35 -0800
Are you saying that "public" users will be in the DMZ? That's the only way
DHCP discover will get to a DMZ-based DHCP server; ISA doesn't pass
broadcast traffic at all.
Bear in mind that any client using the DMZ as their connection point will
_not_ be able to make use of the ISA web proxy; only packet filters function
there.
Generally speaking, if you want to separate "public" and "private" subnets
and still maintain continuity of ISA usage, you have to give ISA two
internal interfaces; one in each subnet and make sure no client (except as
you designate) is a secureNAT client.
HTH,
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the book!
----- Original Message -----
From: "Brian Harris" <bharris@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, December 29, 2001 21:42
Subject: [isalist] Re: DHCP and web server in a DMZ or should we publish
from the private network
http://www.ISAserver.org
Hi Jim,
I have 35 clients in the private LAN for the Exchange server this is
already published and no problems. The web server will be available to
1000's via the net and up to a 100 via the wireless technology whilst
visitors are in the park.
The goal is to have one web server delivering content to all users, ie
public via the net, public via wireless and internal users..
The wireless txechnology has been broken in two frequencies one for
public and one for the private LAN. Hence the need to seperate ip
ranges form public and private... Maybe I'm looking to deep..
Its a great project but, I don't want security to be the killer!!!
Thanks
Brian Harris
>>> jim@xxxxxxxxxxxx 12/30/01 15:02 PM >>>
http://www.ISAserver.org
You need to step back a second and decide on your security model.
1. DHCP in the DMZ is a randomizing thought; ditch it.
2. separate subnets for only two servers is over-designing
How many clients (internal and external) are you serving with the web
and
Exchange servers?
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the book!
----- Original Message -----
From: "Brian Harris" <bharris@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, December 29, 2001 16:47
Subject: [isalist] Re: DHCP and web server in a DMZ or should we publish
from the private network
http://www.ISAserver.org
Thanks Jim,
Just as a compromise, how does this sound.
Publish the web server in the normal fashion on the private side.
Place a DHCP server in the DMZ to allow IP addresses to be available to
the public...But do the IP's in a DMZ have to be public, I seem to
remember some notes on this isaserver.org saying due to packet filtering
only available to the DMZ don't use a private subnet???
I can't see the wood for the trees on this one!!
I'm now considering setting up two sites in Active Directory and placing
the web server in one subnet and the private network in another. So NAT
from the external IP to two different internal NICS on two subnets...
I have two servers to publish Exchange 2000 and WWW Server. So one in
each subnet...
Thanks
Brian Harris
>>> jim@xxxxxxxxxxxx 12/29/01 01:12 AM >>>
http://www.ISAserver.org
That depends on whether you're more concerned with:
1. the web server - keeping safe and secure is best served with web
publishing a private-side host
2. the private LAN - keeping it safe is best served by DMZ hosting the
web
server.
HTH,
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the book!
----- Original Message -----
From: "Brian Harris" <bharris@xxxxxxxxxxxxxx><~!B*+R^&>To:
"[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx><~!B*+R^&>Sent:
Thursday, December 27, 2001 20:14
Subject: [isalist] DHCP and web server in a DMZ or should we publish
from
the private network
http://www.ISAserver.org
Hi,
I have a topic that I need some advice on. I have a site (park) that is
open to the general public and they will be able to roam around the site
using wireless technology to log on to the proposed DMZ and will be
issued
with an IP via DHCP and then as they move from one area to another they
will have different information available from a web server in the DMZ.
The wireless side is fine but I'm struggling on whether I need to set
the
web server up in a DMZ or publish it from the private network. My
security experience is smacking me in the face and saying no to the
private side publishing....!!! As users will have valid private IP
address.
Has anyone done any work on this area?
Thanks in advance and this site is great!!!
Regards
Brian Harris
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bharris@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bharris@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
