I understand. Then, even with back-to-back firewalls, it would be wise to put the OWA Front End server on the internal network, and publish it on the internal firewall. ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, August 10, 2001 1:53 PM Subject: [isalist] Re: DNS Subnet question with DMZ > http://www.ISAserver.org > > > There is always a choice. If you choose to place E2K in the DMZ, then you > also choose to open the DMZ to the LAT for AD communications. It's all > about choices and the risks. you're willing to accept. > > Jim Harrison > MCP(2K), A+, Network+, PCG > > > ----- Original Message ----- > From: "Jay" <jschwarzkopf@xxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Friday, August 10, 2001 10:05 > Subject: [isalist] Re: DNS Subnet question with DMZ > > > http://www.ISAserver.org > > > Of course, with E2k you have no choice. > > ----- Original Message ----- > From: "Jim Harrison" <jim@xxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Friday, August 10, 2001 12:03 PM > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > http://www.ISAserver.org > > > > > > That server would provide an open path to the LAT through the VPN > > connection. > > All deployment is based on risk assessment. Only you can determine if the > > dangers of a given setup are outweighed by the benefits. Generally, only > > those protocols that need to pass between DMZ and LAT should be allowed. > > Allowing AD traffic to the DMZ is dangerous, regardless of how you allow > it. > > > > Jim Harrison > > MCP(2K), A+, Network+, PCG > > > > ----- Original Message ----- > > From: "Jay" <jschwarzkopf@xxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Friday, August 10, 2001 7:49 AM > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > http://www.ISAserver.org > > > > > > Okay. > > > > What about server in perimeter network of back-to-back (using different > > firewalls), with VPN connection into internal ISA firewall? Is that > anymore > > a security concern than published ports? > > > > > > ----- Original Message ----- > > From: Jim Harrison > > To: [ISAserver.org Discussion List] > > Sent: Friday, August 10, 2001 10:27 AM > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > http://www.ISAserver.org > > > > > > A DMZ provides isolation of your trusted network from your > > "publicly-available" servers" Some like to think of the DMZ as the > > "sacrificial lamb", and to a degree it is. The general idea is that if > > someone wants to trash something, let it be in the DMZ. By the same > token, > > if someone were to trash your DMZ server, they still don't have direct > > access to the trusted LAN. > > > > Jim Harrison > > MCP(2K), A+, Network+, PCG > > > > ----- Original Message ----- > > From: Jay > > To: [ISAserver.org Discussion List] > > Sent: Friday, August 10, 2001 7:18 AM > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > http://www.ISAserver.org > > > > > > Is there a benefit of putting E2k (or any server) on DMZ, over just > > publishing it from internal net? > > > > > > > > ----- Original Message ----- > > From: Jim Harrison > > To: [ISAserver.org Discussion List] > > Sent: Friday, August 10, 2001 9:38 AM > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > http://www.ISAserver.org > > > > > > Unfortunately, the best you can do for the DMZ server is a single IP > > with the set you're given. > > Since the DMZ in a three--homed ISA is a subnet of the external > > subnet, you have to use a /30 mask for the DMZ, giving you only 2 usable > > IPs; one for the ISA DMZ NIC and one left for a server. > > Is the Exchange server an E2K variation? If so, placing it in the > DMZ > > is more trouble than it's worth, given the issues related to AD membership > > across a firewall. > > > > Jim Harrison > > MCP(2K), A+, Network+, PCG > > > > ----- Original Message ----- > > From: cismic > > To: [ISAserver.org Discussion List] > > Sent: Thursday, August 09, 2001 9:51 PM > > Subject: [isalist] DNS Subnet question with DMZ > > > > > > http://www.ISAserver.org > > > > > > I also posted this to the message boards. Sorry for the > duplication. > > Just thought I'd see if anyone was online tonight with some ideas. > > > > J > > > > > > > > Hello, > > > > > > > > I'm using 10.0.0.1 for illustration: > > > > > > > > I have 10.0.0.1/29 (8 IPs, 32 per C) > > > > as my ip address. IP'S .1 and .8 are being used by my ISP. .7 is > > assigned to my CISCO 776M ISDN router. > > > > > > > > That leaves me with 5 ip address to use. > > > > .2, .3, .4, .5, .6 > > > > EXT NIC 1. = .2 > > > > DMZ NIC 1. = .3 > > > > DMZ servers would be .4, .5, .6 > > > > > > > > If I split those into something like the following > > > > .4 sql > > > > .5 web > > > > .6 DNS > > > > I run out of address and won't be able to place my exchange server > > in the dmz. > > > > > > > > and Internal NIC private could be 10.0.1.0 > > > > > > > > Is there another method that will work just as well so I can > publish > > my Exchange server? > > > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List > > as: jim@xxxxxxxxxxxx > > To unsubscribe send a blank email to > > $subst('Email.Unsub') > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List > as: > > jschwarzkopf@xxxxxxxxxx > > To unsubscribe send a blank email to > > $subst('Email.Unsub') > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > jim@xxxxxxxxxxxx > > To unsubscribe send a blank email to > $subst('Email.Unsub') > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > jschwarzkopf@xxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > jim@xxxxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > jschwarzkopf@xxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: jschwarzkopf@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub')