Re: DNS Subnet question with DMZ
- From: "Jay" <jschwarzkopf@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 10 Aug 2001 14:30:35 -0400
I understand.
Then, even with back-to-back firewalls, it would be wise to put the OWA
Front End server on the internal network, and publish it on the internal
firewall.
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, August 10, 2001 1:53 PM
Subject: [isalist] Re: DNS Subnet question with DMZ
> http://www.ISAserver.org
>
>
> There is always a choice. If you choose to place E2K in the DMZ, then you
> also choose to open the DMZ to the LAT for AD communications. It's all
> about choices and the risks. you're willing to accept.
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
>
> ----- Original Message -----
> From: "Jay" <jschwarzkopf@xxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, August 10, 2001 10:05
> Subject: [isalist] Re: DNS Subnet question with DMZ
>
>
> http://www.ISAserver.org
>
>
> Of course, with E2k you have no choice.
>
> ----- Original Message -----
> From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, August 10, 2001 12:03 PM
> Subject: [isalist] Re: DNS Subnet question with DMZ
>
>
> > http://www.ISAserver.org
> >
> >
> > That server would provide an open path to the LAT through the VPN
> > connection.
> > All deployment is based on risk assessment. Only you can determine if
the
> > dangers of a given setup are outweighed by the benefits. Generally,
only
> > those protocols that need to pass between DMZ and LAT should be allowed.
> > Allowing AD traffic to the DMZ is dangerous, regardless of how you allow
> it.
> >
> > Jim Harrison
> > MCP(2K), A+, Network+, PCG
> >
> > ----- Original Message -----
> > From: "Jay" <jschwarzkopf@xxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Friday, August 10, 2001 7:49 AM
> > Subject: [isalist] Re: DNS Subnet question with DMZ
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Okay.
> >
> > What about server in perimeter network of back-to-back (using different
> > firewalls), with VPN connection into internal ISA firewall? Is that
> anymore
> > a security concern than published ports?
> >
> >
> > ----- Original Message -----
> > From: Jim Harrison
> > To: [ISAserver.org Discussion List]
> > Sent: Friday, August 10, 2001 10:27 AM
> > Subject: [isalist] Re: DNS Subnet question with DMZ
> >
> >
> > http://www.ISAserver.org
> >
> >
> > A DMZ provides isolation of your trusted network from your
> > "publicly-available" servers" Some like to think of the DMZ as the
> > "sacrificial lamb", and to a degree it is. The general idea is that if
> > someone wants to trash something, let it be in the DMZ. By the same
> token,
> > if someone were to trash your DMZ server, they still don't have direct
> > access to the trusted LAN.
> >
> > Jim Harrison
> > MCP(2K), A+, Network+, PCG
> >
> > ----- Original Message -----
> > From: Jay
> > To: [ISAserver.org Discussion List]
> > Sent: Friday, August 10, 2001 7:18 AM
> > Subject: [isalist] Re: DNS Subnet question with DMZ
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Is there a benefit of putting E2k (or any server) on DMZ, over just
> > publishing it from internal net?
> >
> >
> >
> > ----- Original Message -----
> > From: Jim Harrison
> > To: [ISAserver.org Discussion List]
> > Sent: Friday, August 10, 2001 9:38 AM
> > Subject: [isalist] Re: DNS Subnet question with DMZ
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Unfortunately, the best you can do for the DMZ server is a single
IP
> > with the set you're given.
> > Since the DMZ in a three--homed ISA is a subnet of the external
> > subnet, you have to use a /30 mask for the DMZ, giving you only 2 usable
> > IPs; one for the ISA DMZ NIC and one left for a server.
> > Is the Exchange server an E2K variation? If so, placing it in the
> DMZ
> > is more trouble than it's worth, given the issues related to AD
membership
> > across a firewall.
> >
> > Jim Harrison
> > MCP(2K), A+, Network+, PCG
> >
> > ----- Original Message -----
> > From: cismic
> > To: [ISAserver.org Discussion List]
> > Sent: Thursday, August 09, 2001 9:51 PM
> > Subject: [isalist] DNS Subnet question with DMZ
> >
> >
> > http://www.ISAserver.org
> >
> >
> > I also posted this to the message boards. Sorry for the
> duplication.
> > Just thought I'd see if anyone was online tonight with some ideas.
> >
> > J
> >
> >
> >
> > Hello,
> >
> >
> >
> > I'm using 10.0.0.1 for illustration:
> >
> >
> >
> > I have 10.0.0.1/29 (8 IPs, 32 per C)
> >
> > as my ip address. IP'S .1 and .8 are being used by my ISP. .7
is
> > assigned to my CISCO 776M ISDN router.
> >
> >
> >
> > That leaves me with 5 ip address to use.
> >
> > .2, .3, .4, .5, .6
> >
> > EXT NIC 1. = .2
> >
> > DMZ NIC 1. = .3
> >
> > DMZ servers would be .4, .5, .6
> >
> >
> >
> > If I split those into something like the following
> >
> > .4 sql
> >
> > .5 web
> >
> > .6 DNS
> >
> > I run out of address and won't be able to place my exchange
server
> > in the dmz.
> >
> >
> >
> > and Internal NIC private could be 10.0.1.0
> >
> >
> >
> > Is there another method that will work just as well so I can
> publish
> > my Exchange server?
> >
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
List
> > as: jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > jschwarzkopf@xxxxxxxxxx
> > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to
> $subst('Email.Unsub')
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > jschwarzkopf@xxxxxxxxxx
> > To unsubscribe send a blank email to
$subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> jschwarzkopf@xxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jschwarzkopf@xxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
