Of course, with E2k you have no choice. ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, August 10, 2001 12:03 PM Subject: [isalist] Re: DNS Subnet question with DMZ > http://www.ISAserver.org > > > That server would provide an open path to the LAT through the VPN > connection. > All deployment is based on risk assessment. Only you can determine if the > dangers of a given setup are outweighed by the benefits. Generally, only > those protocols that need to pass between DMZ and LAT should be allowed. > Allowing AD traffic to the DMZ is dangerous, regardless of how you allow it. > > Jim Harrison > MCP(2K), A+, Network+, PCG > > ----- Original Message ----- > From: "Jay" <jschwarzkopf@xxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Friday, August 10, 2001 7:49 AM > Subject: [isalist] Re: DNS Subnet question with DMZ > > > http://www.ISAserver.org > > > Okay. > > What about server in perimeter network of back-to-back (using different > firewalls), with VPN connection into internal ISA firewall? Is that anymore > a security concern than published ports? > > > ----- Original Message ----- > From: Jim Harrison > To: [ISAserver.org Discussion List] > Sent: Friday, August 10, 2001 10:27 AM > Subject: [isalist] Re: DNS Subnet question with DMZ > > > http://www.ISAserver.org > > > A DMZ provides isolation of your trusted network from your > "publicly-available" servers" Some like to think of the DMZ as the > "sacrificial lamb", and to a degree it is. The general idea is that if > someone wants to trash something, let it be in the DMZ. By the same token, > if someone were to trash your DMZ server, they still don't have direct > access to the trusted LAN. > > Jim Harrison > MCP(2K), A+, Network+, PCG > > ----- Original Message ----- > From: Jay > To: [ISAserver.org Discussion List] > Sent: Friday, August 10, 2001 7:18 AM > Subject: [isalist] Re: DNS Subnet question with DMZ > > > http://www.ISAserver.org > > > Is there a benefit of putting E2k (or any server) on DMZ, over just > publishing it from internal net? > > > > ----- Original Message ----- > From: Jim Harrison > To: [ISAserver.org Discussion List] > Sent: Friday, August 10, 2001 9:38 AM > Subject: [isalist] Re: DNS Subnet question with DMZ > > > http://www.ISAserver.org > > > Unfortunately, the best you can do for the DMZ server is a single IP > with the set you're given. > Since the DMZ in a three--homed ISA is a subnet of the external > subnet, you have to use a /30 mask for the DMZ, giving you only 2 usable > IPs; one for the ISA DMZ NIC and one left for a server. > Is the Exchange server an E2K variation? If so, placing it in the DMZ > is more trouble than it's worth, given the issues related to AD membership > across a firewall. > > Jim Harrison > MCP(2K), A+, Network+, PCG > > ----- Original Message ----- > From: cismic > To: [ISAserver.org Discussion List] > Sent: Thursday, August 09, 2001 9:51 PM > Subject: [isalist] DNS Subnet question with DMZ > > > http://www.ISAserver.org > > > I also posted this to the message boards. Sorry for the duplication. > Just thought I'd see if anyone was online tonight with some ideas. > > J > > > > Hello, > > > > I'm using 10.0.0.1 for illustration: > > > > I have 10.0.0.1/29 (8 IPs, 32 per C) > > as my ip address. IP'S .1 and .8 are being used by my ISP. .7 is > assigned to my CISCO 776M ISDN router. > > > > That leaves me with 5 ip address to use. > > .2, .3, .4, .5, .6 > > EXT NIC 1. = .2 > > DMZ NIC 1. = .3 > > DMZ servers would be .4, .5, .6 > > > > If I split those into something like the following > > .4 sql > > .5 web > > .6 DNS > > I run out of address and won't be able to place my exchange server > in the dmz. > > > > and Internal NIC private could be 10.0.1.0 > > > > Is there another method that will work just as well so I can publish > my Exchange server? > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List > as: jim@xxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jschwarzkopf@xxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jschwarzkopf@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: jschwarzkopf@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub')