No; that name is for your DNS server. You would publish that IP to the DNS server in the DMZ. Name you ISA server whatever you want; something like Dorothy, or Kansas, or AuntieEm... Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "cismic" <cismic@xxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, August 10, 2001 3:03 PM Subject: [isalist] Re: DNS Subnet question with DMZ http://www.ISAserver.org I plan on running back to back. However, would my isa server still need the name of my NS1.SOMESEVER.COM as listed with network solutions? Thank you, Joseph -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Friday, August 10, 2001 2:36 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: DNS Subnet question with DMZ http://www.ISAserver.org Private IP's are only valid in a back-back DMZ. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "cismic" <cismic@xxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, August 10, 2001 2:20 PM Subject: [isalist] Re: DNS Subnet question with DMZ http://www.ISAserver.org If private IP address were then used in the DMZ and you are running primary DNS. Would your ISA machine have to have the IP address that you registered with a firm such as Network solutions as in NS1.SOMESERVER.COM/.ORG ETC? I'm guessing that would be the only way for it to find your translated zones. Thank you to everyone for the valuable insight and information! Joseph -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Friday, August 10, 2001 1:25 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: DNS Subnet question with DMZ http://www.ISAserver.org It wouldn't; I was reading the email you hadn't written yet ... :-\ Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Jay" <jschwarzkopf@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, August 10, 2001 12:02 PM Subject: [isalist] Re: DNS Subnet question with DMZ http://www.ISAserver.org How would SMTP relay help with OWA? ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, August 10, 2001 2:45 PM Subject: [isalist] Re: DNS Subnet question with DMZ > http://www.ISAserver.org > > > True; or as Tom suggested, use an SMTP relay in the DMZ. > > Jim Harrison > MCP(2K), A+, Network+, PCG > > ----- Original Message ----- > From: "Jay" <jschwarzkopf@xxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Friday, August 10, 2001 11:30 AM > Subject: [isalist] Re: DNS Subnet question with DMZ > > > http://www.ISAserver.org > > > I understand. > > Then, even with back-to-back firewalls, it would be wise to put the OWA > Front End server on the internal network, and publish it on the internal > firewall. > > > ----- Original Message ----- > From: "Jim Harrison" <jim@xxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Friday, August 10, 2001 1:53 PM > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > http://www.ISAserver.org > > > > > > There is always a choice. If you choose to place E2K in the DMZ, then you > > also choose to open the DMZ to the LAT for AD communications. It's all > > about choices and the risks. you're willing to accept. > > > > Jim Harrison > > MCP(2K), A+, Network+, PCG > > > > > > ----- Original Message ----- > > From: "Jay" <jschwarzkopf@xxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Friday, August 10, 2001 10:05 > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > http://www.ISAserver.org > > > > > > Of course, with E2k you have no choice. > > > > ----- Original Message ----- > > From: "Jim Harrison" <jim@xxxxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Friday, August 10, 2001 12:03 PM > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > > http://www.ISAserver.org > > > > > > > > > That server would provide an open path to the LAT through the VPN > > > connection. > > > All deployment is based on risk assessment. Only you can determine if > the > > > dangers of a given setup are outweighed by the benefits. Generally, > only > > > those protocols that need to pass between DMZ and LAT should be allowed. > > > Allowing AD traffic to the DMZ is dangerous, regardless of how you allow > > it. > > > > > > Jim Harrison > > > MCP(2K), A+, Network+, PCG > > > > > > ----- Original Message ----- > > > From: "Jay" <jschwarzkopf@xxxxxxxxxx> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > > Sent: Friday, August 10, 2001 7:49 AM > > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > > > > http://www.ISAserver.org > > > > > > > > > Okay. > > > > > > What about server in perimeter network of back-to-back (using different > > > firewalls), with VPN connection into internal ISA firewall? Is that > > anymore > > > a security concern than published ports? > > > > > > > > > ----- Original Message ----- > > > From: Jim Harrison > > > To: [ISAserver.org Discussion List] > > > Sent: Friday, August 10, 2001 10:27 AM > > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > > > > http://www.ISAserver.org > > > > > > > > > A DMZ provides isolation of your trusted network from your > > > "publicly-available" servers" Some like to think of the DMZ as the > > > "sacrificial lamb", and to a degree it is. The general idea is that if > > > someone wants to trash something, let it be in the DMZ. By the same > > token, > > > if someone were to trash your DMZ server, they still don't have direct > > > access to the trusted LAN. > > > > > > Jim Harrison > > > MCP(2K), A+, Network+, PCG > > > > > > ----- Original Message ----- > > > From: Jay > > > To: [ISAserver.org Discussion List] > > > Sent: Friday, August 10, 2001 7:18 AM > > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > > > > http://www.ISAserver.org > > > > > > > > > Is there a benefit of putting E2k (or any server) on DMZ, over just > > > publishing it from internal net? > > > > > > > > > > > > ----- Original Message ----- > > > From: Jim Harrison > > > To: [ISAserver.org Discussion List] > > > Sent: Friday, August 10, 2001 9:38 AM > > > Subject: [isalist] Re: DNS Subnet question with DMZ > > > > > > > > > http://www.ISAserver.org > > > > > > > > > Unfortunately, the best you can do for the DMZ server is a single > IP > > > with the set you're given. > > > Since the DMZ in a three--homed ISA is a subnet of the external > > > subnet, you have to use a /30 mask for the DMZ, giving you only 2 usable > > > IPs; one for the ISA DMZ NIC and one left for a server. > > > Is the Exchange server an E2K variation? If so, placing it in the > > DMZ > > > is more trouble than it's worth, given the issues related to AD > membership > > > across a firewall. > > > > > > Jim Harrison > > > MCP(2K), A+, Network+, PCG > > > > > > ----- Original Message ----- > > > From: cismic > > > To: [ISAserver.org Discussion List] > > > Sent: Thursday, August 09, 2001 9:51 PM > > > Subject: [isalist] DNS Subnet question with DMZ > > > > > > > > > http://www.ISAserver.org > > > > > > > > > I also posted this to the message boards. Sorry for the > > duplication. > > > Just thought I'd see if anyone was online tonight with some ideas. > > > > > > J > > > > > > > > > > > > Hello, > > > > > > > > > > > > I'm using 10.0.0.1 for illustration: > > > > > > > > > > > > I have 10.0.0.1/29 (8 IPs, 32 per C) > > > > > > as my ip address. IP'S .1 and .8 are being used by my ISP. .7 > is > > > assigned to my CISCO 776M ISDN router. > > > > > > > > > > > > That leaves me with 5 ip address to use. > > > > > > .2, .3, .4, .5, .6 > > > > > > EXT NIC 1. = .2 > > > > > > DMZ NIC 1. = .3 > > > > > > DMZ servers would be .4, .5, .6 > > > > > > > > > > > > If I split those into something like the following > > > > > > .4 sql > > > > > > .5 web > > > > > > .6 DNS > > > > > > I run out of address and won't be able to place my exchange > server > > > in the dmz. > > > > > > > > > > > > and Internal NIC private could be 10.0.1.0 > > > > > > > > > > > > Is there another method that will work just as well so I can > > publish > > > my Exchange server? > > > > > > > > > > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > List > > > as: jim@xxxxxxxxxxxx > > > To unsubscribe send a blank email to > > > $subst('Email.Unsub') > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List > > as: > > > jschwarzkopf@xxxxxxxxxx > > > To unsubscribe send a blank email to > > > $subst('Email.Unsub') > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List > as: > > > jim@xxxxxxxxxxxx > > > To unsubscribe send a blank email to > > $subst('Email.Unsub') > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > > jschwarzkopf@xxxxxxxxxx > > > To unsubscribe send a blank email to > $subst('Email.Unsub') > > > > > > > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > > jim@xxxxxxxxxxxx > > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > > > > > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > jschwarzkopf@xxxxxxxxxx > > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > jim@xxxxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > jschwarzkopf@xxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: jschwarzkopf@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')