DMZ packet filtering
- From: Joe DeNave <joe@xxxxxxxxxxxxxxx>
- To: "'isalist@xxxxxxxxxxxxx'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Nov 2001 13:20:03 -0500
Hello all! I have almost nearly finished deploying ISA here at work. The
last step is to get all the web servers working properly in the DMZ. I have
set the perimeter up as a tri homed DMZ because it presents the least amount
of trouble from a DNS name resolution perspective. As I understand it you
need to use packet filters to allow the internal SQL servers to talk to the
IIS servers in the DMZ. The internal network is 192.168.xxx.xxx. The
external nic on ISA is XXX.XXX.77.XXX and the DMZ NIC is XXX.XXX.73.XXX.
What I have been wrestling with is how to create the packet filters to allow
the internal SQL servers (3 individual and I SQL cluster) to communicate
with the DMZ IIS servers (4 web servers and 1 "web cluster"). I have
researched this on the message board through the archives of this mailing
list and I have also read Tom's book. Everything else with ISA has gone as
smooth as gravel (show me a tight firewall that is easy to configure, I dare
you LOL) but once I figured out what I was doing wrong I managed to get it
working. This one has me a little stumped though. I know the ports I need
to give access to are 1063, 1078, 1433, and 1434. What I don't know is how
to set up the custom filter. The protocol is TCP, but here is where the
confusion starts. Should the direction be both or just outbound. I know
that ISA will open up a port for the returning information but does this
affect the setting under the custom packet filtering. For the local port
setting I don't know if I should set up the specific port I need or just use
the dynamic setting. On the remote port setting I am also unsure of what to
set. The next screen also presents me with issues. I for this specific
scenario so I set these filters for ISA's DMZ interface or for the specific
IP Addresses of the IIS Servers residing in the DMZ.
Thanks for any and all help in this matter!!
Cleverly disguised as a responsible adult.
Joe DeNave
Network Administrator
jdenave@xxxxxxxxxxxxxxx
Other related posts:
