Ok, now that's a new question: 1. Security risks posed by having web / E2K servers inside out of the rain: _If_ someone were to get past the ISA and infect the web or E2K servers, they _might_ be able to gain access to the rest of your internal network. They might also fix you eggs and ham for breakfast, but the odds are about even there. Seriously, that's the whole point of ISA; to help keep the bad guys out. Properly configured, it does a mighty fine job. I, for one, have no fear of the code red worm, because my ISA's drop the buffer overflow request before it even gets to my web servers. 2. DMZ security: the DMZ offers security by isolation; the separation of the trusted network from those servers that must be accessible from the Internet. Since E2K requires direct AD access and that's a huge hole in your firewall between the LAT and the DMZ, there's little to be gained by placing an E2K server there. Also, the web server is better protected by being in the LAT, since the web proxy is now available for application-level filtering of web traffic. 3. IP assignment: By using web publishing, you can publish a cubic grunch of web servers using one IP address and keep all the traffic logged individually by client. This means that you only need to assign an IP for each identical non-web protocol (more than one SMTP publishing, for instance). This helps to reduce your IP-per-site requirements so many admins are used to creating. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Guinn Unger" <geunger@xxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, July 30, 2001 7:44 PM Subject: [isalist] Re: IP Addresses on DMZ http://www.ISAserver.org I have read a good bit of this material, but it gets rather overwhelming pretty quickly. So suppose we step back 10 paces and ask ourselves what we really want. My ultimate goal is to have internet access, publish one or two web servers, publish an Exchange server, and have VPN access both from our desktops to outside sites and from outside to our network. From what I had read, it seemed like a DMZ would be a good solution, but I'm beginning to wonder. If I go back to our ISP and ask for a bigger block of IP addresses I feel pretty certain they are going to balk. They seemed very reluctant to give us the eight that they did. (It also seems like we are using IP addresses pretty inefficiently if I need more than 8 public IP addresses to publish three servers. Oh, well.) How much of a security risk would it really be to have our web servers and Exchange server on our private network? Does the DMZ really offer that much extra security? If we keep up with security patches and such, do we really need the DMZ? I can't imagine that we have very much that anybody would want on our network except to take over a server for DOS attacks or something similar. Does that make sense? Again, thanks in advance for the help. Guinn -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Monday, July 30, 2001 7:40 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: IP Addresses on DMZ http://www.ISAserver.org One problem you have is that with 6 IP's, any further subnetting is limited to two functional DMZ IPs; one for the ISA DMZ NIC and one for the DMZ server. There is some general ISA deployment reading you should do before plunging headlong into the abyss that is ISA :-)... http://www.isaserver.org/shinder/tips/getting_started.htm http://www.isaserver.org/shinder/tutorials/secure_nat_client.htm http://www.isaserver.org/shinder/tutorials/designing_an_isa_server_solution_ on_a%20_simple_network.htm http://www.isaserver.org/pages/tutorials/isanetworks.htm http://www.isaserver.org/shinder/tutorials/dmz_scenarios.htm ..and many more in the "Learning Zone"... Jim Harrison MCP(2K), A+, Network+, PCG ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')