If private IP address were then used in the DMZ and you are running primary DNS. Would your ISA machine have to have the IP address that you registered with a firm such as Network solutions as in NS1.SOMESERVER.COM/.ORG ETC? I'm guessing that would be the only way for it to find your translated zones. Thank you to everyone for the valuable insight and information! Joseph -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Friday, August 10, 2001 1:25 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: DNS Subnet question with DMZ http://www.ISAserver.org It wouldn't; I was reading the email you hadn't written yet ... :-\ Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Jay" <jschwarzkopf@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, August 10, 2001 12:02 PM Subject: [isalist] Re: DNS Subnet question with DMZ http://www.ISAserver.org How would SMTP relay help with OWA? ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, August 10, 2001 2:45 PM Subject: [isalist] Re: DNS Subnet question with DMZ > http://www.ISAserver.org > > > True; or as Tom suggested, use an SMTP relay in the DMZ. > > Jim Harrison > MCP(2K), A+, Network+, PCG > > ----- Original Message ----- > From: "Jay" <jschwarzkopf@xxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Friday, August 10, 2001 11:30 AM > Subject: [isalist] Re: DNS Subnet question with DMZ > > > http://www.ISAserver.org > > > I understand. > > Then, even with back-to-back firewalls, it would be wise to put the OWA > Front End server on the internal network, and publish it on the internal > firewall. > > > ----- Original Message ----- > From: "Jim Harrison" <jim@xxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Friday, August 10, 2001 1:53 PM > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > http://www.ISAserver.org > > > > > > There is always a choice. If you choose to place E2K in the DMZ, then you > > also choose to open the DMZ to the LAT for AD communications. It's all > > about choices and the risks. you're willing to accept. > > > > Jim Harrison > > MCP(2K), A+, Network+, PCG > > > > > > ----- Original Message ----- > > From: "Jay" <jschwarzkopf@xxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Friday, August 10, 2001 10:05 > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > http://www.ISAserver.org > > > > > > Of course, with E2k you have no choice. > > > > ----- Original Message ----- > > From: "Jim Harrison" <jim@xxxxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Friday, August 10, 2001 12:03 PM > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > > http://www.ISAserver.org > > > > > > > > > That server would provide an open path to the LAT through the VPN > > > connection. > > > All deployment is based on risk assessment. Only you can determine if > the > > > dangers of a given setup are outweighed by the benefits. Generally, > only > > > those protocols that need to pass between DMZ and LAT should be allowed. > > > Allowing AD traffic to the DMZ is dangerous, regardless of how you allow > > it. > > > > > > Jim Harrison > > > MCP(2K), A+, Network+, PCG > > > > > > ----- Original Message ----- > > > From: "Jay" <jschwarzkopf@xxxxxxxxxx> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > > Sent: Friday, August 10, 2001 7:49 AM > > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > > > > http://www.ISAserver.org > > > > > > > > > Okay. > > > > > > What about server in perimeter network of back-to-back (using different > > > firewalls), with VPN connection into internal ISA firewall? Is that > > anymore > > > a security concern than published ports? > > > > > > > > > ----- Original Message ----- > > > From: Jim Harrison > > > To: [ISAserver.org Discussion List] > > > Sent: Friday, August 10, 2001 10:27 AM > > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > > > > http://www.ISAserver.org > > > > > > > > > A DMZ provides isolation of your trusted network from your > > > "publicly-available" servers" Some like to think of the DMZ as the > > > "sacrificial lamb", and to a degree it is. The general idea is that if > > > someone wants to trash something, let it be in the DMZ. By the same > > token, > > > if someone were to trash your DMZ server, they still don't have direct > > > access to the trusted LAN. > > > > > > Jim Harrison > > > MCP(2K), A+, Network+, PCG > > > > > > ----- Original Message ----- > > > From: Jay > > > To: [ISAserver.org Discussion List] > > > Sent: Friday, August 10, 2001 7:18 AM > > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > > > > http://www.ISAserver.org > > > > > > > > > Is there a benefit of putting E2k (or any server) on DMZ, over just > > > publishing it from internal net? > > > > > > > > > > > > ----- Original Message ----- > > > From: Jim Harrison > > > To: [ISAserver.org Discussion List] > > > Sent: Friday, August 10, 2001 9:38 AM > > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > > > > http://www.ISAserver.org > > > > > > > > > Unfortunately, the best you can do for the DMZ server is a single > IP > > > with the set you're given. > > > Since the DMZ in a three--homed ISA is a subnet of the external > > > subnet, you have to use a /30 mask for the DMZ, giving you only 2 usable > > > IPs; one for the ISA DMZ NIC and one left for a server. > > > Is the Exchange server an E2K variation? If so, placing it in the > > DMZ > > > is more trouble than it's worth, given the issues related to AD > membership > > > across a firewall. > > > > > > Jim Harrison > > > MCP(2K), A+, Network+, PCG > > > > > > ----- Original Message ----- > > > From: cismic > > > To: [ISAserver.org Discussion List] > > > Sent: Thursday, August 09, 2001 9:51 PM > > > Subject: [isalist] DNS Subnet question with DMZ > > > > > > > > > http://www.ISAserver.org > > > > > > > > > I also posted this to the message boards. Sorry for the > > duplication. > > > Just thought I'd see if anyone was online tonight with some ideas. > > > > > > J > > > > > > > > > > > > Hello, > > > > > > > > > > > > I'm using 10.0.0.1 for illustration: > > > > > > > > > > > > I have 10.0.0.1/29 (8 IPs, 32 per C) > > > > > > as my ip address. IP'S .1 and .8 are being used by my ISP. .7 > is > > > assigned to my CISCO 776M ISDN router. > > > > > > > > > > > > That leaves me with 5 ip address to use. > > > > > > .2, .3, .4, .5, .6 > > > > > > EXT NIC 1. = .2 > > > > > > DMZ NIC 1. = .3 > > > > > > DMZ servers would be .4, .5, .6 > > > > > > > > > > > > If I split those into something like the following > > > > > > .4 sql > > > > > > .5 web > > > > > > .6 DNS > > > > > > I run out of address and won't be able to place my exchange > server > > > in the dmz. > > > > > > > > > > > > and Internal NIC private could be 10.0.1.0 > > > > > > > > > > > > Is there another method that will work just as well so I can > > publish > > > my Exchange server? > > > > > > > > > > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > List > > > as: jim@xxxxxxxxxxxx > > > To unsubscribe send a blank email to > > > $subst('Email.Unsub') > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List > > as: > > > jschwarzkopf@xxxxxxxxxx > > > To unsubscribe send a blank email to > > > $subst('Email.Unsub') > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List > as: > > > jim@xxxxxxxxxxxx > > > To unsubscribe send a blank email to > > $subst('Email.Unsub') > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > > jschwarzkopf@xxxxxxxxxx > > > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > > > > > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > > jim@xxxxxxxxxxxx > > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > > > > > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > jschwarzkopf@xxxxxxxxxx > > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > jim@xxxxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > jschwarzkopf@xxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: jschwarzkopf@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')