Re: DNS Subnet question with DMZ
- From: "cismic" <cismic@xxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 10 Aug 2001 14:20:51 -0700
If private IP address were then used in the DMZ and you are running
primary DNS. Would your ISA machine have to have the IP address that
you registered with a firm such as Network solutions as in
NS1.SOMESERVER.COM/.ORG ETC?
I'm guessing that would be the only way for it to find your translated
zones.
Thank you to everyone for the valuable insight and information!
Joseph
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Friday, August 10, 2001 1:25 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: DNS Subnet question with DMZ
http://www.ISAserver.org
It wouldn't; I was reading the email you hadn't written yet ... :-\
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: "Jay" <jschwarzkopf@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, August 10, 2001 12:02 PM
Subject: [isalist] Re: DNS Subnet question with DMZ
http://www.ISAserver.org
How would SMTP relay help with OWA?
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, August 10, 2001 2:45 PM
Subject: [isalist] Re: DNS Subnet question with DMZ
> http://www.ISAserver.org
>
>
> True; or as Tom suggested, use an SMTP relay in the DMZ.
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
> ----- Original Message -----
> From: "Jay" <jschwarzkopf@xxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, August 10, 2001 11:30 AM
> Subject: [isalist] Re: DNS Subnet question with DMZ
>
>
> http://www.ISAserver.org
>
>
> I understand.
>
> Then, even with back-to-back firewalls, it would be wise to put the
OWA
> Front End server on the internal network, and publish it on the
internal
> firewall.
>
>
> ----- Original Message -----
> From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, August 10, 2001 1:53 PM
> Subject: [isalist] Re: DNS Subnet question with DMZ
>
>
> > http://www.ISAserver.org
> >
> >
> > There is always a choice. If you choose to place E2K in the DMZ,
then
you
> > also choose to open the DMZ to the LAT for AD communications. It's
all
> > about choices and the risks. you're willing to accept.
> >
> > Jim Harrison
> > MCP(2K), A+, Network+, PCG
> >
> >
> > ----- Original Message -----
> > From: "Jay" <jschwarzkopf@xxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Friday, August 10, 2001 10:05
> > Subject: [isalist] Re: DNS Subnet question with DMZ
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Of course, with E2k you have no choice.
> >
> > ----- Original Message -----
> > From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Friday, August 10, 2001 12:03 PM
> > Subject: [isalist] Re: DNS Subnet question with DMZ
> >
> >
> > > http://www.ISAserver.org
> > >
> > >
> > > That server would provide an open path to the LAT through the VPN
> > > connection.
> > > All deployment is based on risk assessment. Only you can
determine if
> the
> > > dangers of a given setup are outweighed by the benefits.
Generally,
> only
> > > those protocols that need to pass between DMZ and LAT should be
allowed.
> > > Allowing AD traffic to the DMZ is dangerous, regardless of how you
allow
> > it.
> > >
> > > Jim Harrison
> > > MCP(2K), A+, Network+, PCG
> > >
> > > ----- Original Message -----
> > > From: "Jay" <jschwarzkopf@xxxxxxxxxx>
> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > Sent: Friday, August 10, 2001 7:49 AM
> > > Subject: [isalist] Re: DNS Subnet question with DMZ
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Okay.
> > >
> > > What about server in perimeter network of back-to-back (using
different
> > > firewalls), with VPN connection into internal ISA firewall? Is
that
> > anymore
> > > a security concern than published ports?
> > >
> > >
> > > ----- Original Message -----
> > > From: Jim Harrison
> > > To: [ISAserver.org Discussion List]
> > > Sent: Friday, August 10, 2001 10:27 AM
> > > Subject: [isalist] Re: DNS Subnet question with DMZ
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > A DMZ provides isolation of your trusted network from your
> > > "publicly-available" servers" Some like to think of the DMZ as
the
> > > "sacrificial lamb", and to a degree it is. The general idea is
that
if
> > > someone wants to trash something, let it be in the DMZ. By the
same
> > token,
> > > if someone were to trash your DMZ server, they still don't have
direct
> > > access to the trusted LAN.
> > >
> > > Jim Harrison
> > > MCP(2K), A+, Network+, PCG
> > >
> > > ----- Original Message -----
> > > From: Jay
> > > To: [ISAserver.org Discussion List]
> > > Sent: Friday, August 10, 2001 7:18 AM
> > > Subject: [isalist] Re: DNS Subnet question with DMZ
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Is there a benefit of putting E2k (or any server) on DMZ, over
just
> > > publishing it from internal net?
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: Jim Harrison
> > > To: [ISAserver.org Discussion List]
> > > Sent: Friday, August 10, 2001 9:38 AM
> > > Subject: [isalist] Re: DNS Subnet question with DMZ
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Unfortunately, the best you can do for the DMZ server is a
single
> IP
> > > with the set you're given.
> > > Since the DMZ in a three--homed ISA is a subnet of the
external
> > > subnet, you have to use a /30 mask for the DMZ, giving you only 2
usable
> > > IPs; one for the ISA DMZ NIC and one left for a server.
> > > Is the Exchange server an E2K variation? If so, placing it
in
the
> > DMZ
> > > is more trouble than it's worth, given the issues related to AD
> membership
> > > across a firewall.
> > >
> > > Jim Harrison
> > > MCP(2K), A+, Network+, PCG
> > >
> > > ----- Original Message -----
> > > From: cismic
> > > To: [ISAserver.org Discussion List]
> > > Sent: Thursday, August 09, 2001 9:51 PM
> > > Subject: [isalist] DNS Subnet question with DMZ
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > I also posted this to the message boards. Sorry for the
> > duplication.
> > > Just thought I'd see if anyone was online tonight with some ideas.
> > >
> > > J
> > >
> > >
> > >
> > > Hello,
> > >
> > >
> > >
> > > I'm using 10.0.0.1 for illustration:
> > >
> > >
> > >
> > > I have 10.0.0.1/29 (8 IPs, 32 per C)
> > >
> > > as my ip address. IP'S .1 and .8 are being used by my ISP.
.7
> is
> > > assigned to my CISCO 776M ISDN router.
> > >
> > >
> > >
> > > That leaves me with 5 ip address to use.
> > >
> > > .2, .3, .4, .5, .6
> > >
> > > EXT NIC 1. = .2
> > >
> > > DMZ NIC 1. = .3
> > >
> > > DMZ servers would be .4, .5, .6
> > >
> > >
> > >
> > > If I split those into something like the following
> > >
> > > .4 sql
> > >
> > > .5 web
> > >
> > > .6 DNS
> > >
> > > I run out of address and won't be able to place my
exchange
> server
> > > in the dmz.
> > >
> > >
> > >
> > > and Internal NIC private could be 10.0.1.0
> > >
> > >
> > >
> > > Is there another method that will work just as well so I
can
> > publish
> > > my Exchange server?
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
Discussion
> List
> > > as: jim@xxxxxxxxxxxx
> > > To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
Discussion
List
> > as:
> > > jschwarzkopf@xxxxxxxxxx
> > > To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
List
> as:
> > > jim@xxxxxxxxxxxx
> > > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
List
as:
> > > jschwarzkopf@xxxxxxxxxx
> > > To unsubscribe send a blank email to
> $subst('Email.Unsub')
> > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
as:
> > > jim@xxxxxxxxxxxx
> > > To unsubscribe send a blank email to
$subst('Email.Unsub')
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
as:
> > jschwarzkopf@xxxxxxxxxx
> > > To unsubscribe send a blank email to
$subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to
$subst('Email.Unsub')
> >
> >
> >
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> jschwarzkopf@xxxxxxxxxx
> > To unsubscribe send a blank email to
$subst('Email.Unsub')
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jschwarzkopf@xxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
