Re: DNS Subnet question with DMZ
- From: "cismic" <cismic@xxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 11 Aug 2001 21:08:52 -0700
When you say to put the public dns server on the internal network(dmz)
Would you assign an internal IP address to the dns server?
i.e. EXT NIC 216.x.x.x
INT NIC 10.0.1.1
DMZ DNS NIC 10.0.1.2
Then to get outsiders looking at what is registered in the domain name
space that is registered domannam.com = 216.x.x.x or would it be a
private ip as in 10.x.x.x?
What would be a best practice publish to with this setup?
Thank you,
Joseph
-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Saturday, August 11, 2001 7:39 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: DNS Subnet question with DMZ
http://www.ISAserver.org
Hi Jay,
That would be an excellent solution. How did you configure the VPN so
that services didn't fail when try tried to start up and the VPN link
was not yet established?
Thanks!
Tom
www.isaserver.org/shinder
Thomas W Shinder, M.D., MCSE, MCT
-----Original Message-----
From: Jay [mailto:jschwarzkopf@xxxxxxxxxx]
Sent: Saturday, August 11, 2001 9:36 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: DNS Subnet question with DMZ
http://www.ISAserver.org
Tom,
I've got servers, including OWA in perimeter network fully functional
via
VPN to ISA server (without any babysitting or manual intervention
required).
That includes automated restoration of the VPN and all services in the
case
of either the server or ISA or RRAS going down. Or are you looking for
solution minus VPN?
----- Original Message -----
From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, August 10, 2001 10:09 PM
Subject: [isalist] Re: DNS Subnet question with DMZ
http://www.ISAserver.org
Hi Jay,
OWA is fine. OWA will only send authenticated requests to the BE
Exchange server. However, you will win a special prize for giving a step
by step on how to make the member server on the DMZ participate in
domain activities (including the LDAP queries required by FE server to a
GC server). Of course, we would have to be able to replicate the
configuration to give you the prize.
:-)
Thanks!
Tom
www.isaserver.org/shinder
Thomas W Shinder, M.D., MCSE, MCT
-----Original Message-----
From: Jay [mailto:jschwarzkopf@xxxxxxxxxx]
Sent: Friday, August 10, 2001 12:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: DNS Subnet question with DMZ
http://www.ISAserver.org
That's a good idea for SMTP.
What about OWA FE?
The only choices I see are
1) publishing it on the internal firewall and allow incoming HTTP on
outside
firewall, or
2) putting it in the perimeter network with a VPN to the ISA firewall.
In either case an http attack getting past the external firewall and
compromising the OWA server, would have access to the internal net.
----- Original Message -----
From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" isalist@xxxxxxxxxxxxxx, August 10,
2001 12:14 PM
Subject: [isalist] Re: DNS Subnet question with DMZ
http://www.ISAserver.org
Hi Jay,
NO benefit from putting Exchange on the DMZ. But an SMTP server on the
DMZ, and have that SMTP server RELAY to a publish Exchange Server.
Publish the Exchange Server and make is available ONLY to the SMTP
server on the DMZ.
HTH,
Tom
www.isaserver.org/shinder
Thomas W Shinder, M.D., MCSE, MCT
-----Original Message-----
From: Jay [mailto:jschwarzkopf@xxxxxxxxxx]
Sent: Friday, August 10, 2001 9:18 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: DNS Subnet question with DMZ
http://www.ISAserver.org
Is there a benefit of putting E2k (or any server) on DMZ, over just
publishing it from internal net?
----- Original Message -----
From: Jim Harrison
To: [ISAserver.org Discussion List]
Sent: Friday, August 10, 2001 9:38 AM
Subject: [isalist] Re: DNS Subnet question with DMZ
http://www.ISAserver.org
Unfortunately, the best you can do for the DMZ server is a single IP
with the set you're given.
Since the DMZ in a three--homed ISA is a subnet of the external subnet,
you have to use a /30 mask for the DMZ, giving you only 2 usable IPs;
one for the ISA DMZ NIC and one left for a server.
Is the Exchange server an E2K variation? If so, placing it in the DMZ
is more trouble than it's worth, given the issues related to AD
membership across a firewall.
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: cismic
To: [ISAserver.org Discussion List]
Sent: Thursday, August 09, 2001 9:51 PM
Subject: [isalist] DNS Subnet question with DMZ
http://www.ISAserver.org
I also posted this to the message boards. Sorry for the duplication.
Just thought I'd see if anyone was online tonight with some ideas.
J
Hello,
I'm using 10.0.0.1 for illustration:
I have 10.0.0.1/29 (8 IPs, 32 per C)
as my ip address. IP'S .1 and .8 are being used by my ISP. .7 is
assigned to my CISCO 776M ISDN router.
That leaves me with 5 ip address to use.
.2, .3, .4, .5, .6
EXT NIC 1. = .2
DMZ NIC 1. = .3
DMZ servers would be .4, .5, .6
If I split those into something like the following
.4 sql
.5 web
.6 DNS
I run out of address and won't be able to place my exchange server in
the dmz.
and Internal NIC private could be 10.0.1.0
Is there another method that will work just as well so I can publish my
Exchange server?
------------------------------------------------------
Other related posts:
