RE: Server publishing

• From: "Thor" <thor@xxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 1 Jul 2004 17:41:53 -0700

If you need access from external users to internal SQL, then use a VPN.

----- Original Message ----- 
From: "Nathan Casey" <NCASEY@xxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, July 01, 2004 4:23 PM
Subject: [isalist] RE: Server publishing


> http://www.ISAserver.org
>
> One of the main confusions for the whole server publishing
> thing for me is the fact that our external webservers are in
> a PIX DMZ with their own Extranet Active Directory.  The is
> no and never will be a trust between our production domain
> and our DMZ domain.  The ISA server is on the edge of the
> production domain (PIX DMZ). How can I allow access from
> externals users via the internet to the internal SQL server
> apps with either SQL authentication or Domain
> authentication?
> Your advise is definitely appreciated.
> Thank you
> Nathan
>
>
> >>> josephk@xxxxxxxxx 7/1/2004 3:57:05 PM >>>
> http://www.ISAserver.org
>
> HI There,
> SQL has merge replication that might work for your
> application.
> Besides when designing an application as a developer you
> need to
>
> 1.  Make sure before the submit button is selected that all
>
> Possible values are edited from the client side to save the
> round trip
> To the server
> 2.  Make sure that if your Db field size is 20 your not
> trying to stuff
> 30 into it. You need this for every field, editing that
> is.
> 3.  Make sure that all entries are using url encoding
> 4.  If anyone is still using dynamic sql make sure that you
> only
> Allow your SQL statement to be sent to the server.
>
> I also see that your still on the question of publishing
> your sql box.
> Exactly what is it that your not getting?  If you publish
> the way
> That I sent the last time, you won't have any issues and
> your
> Security guy just might buy you some flowers.
>
> Thank you,
>
> Joseph
>
>
>
> -----Original Message-----
> From: Nathan Casey [mailto:NCASEY@xxxxxxxxxxxxxxxxx]
> Sent: Thursday, July 01, 2004 3:13 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Server publishing
>
>
> http://www.ISAserver.org
>
> Very good suggestion, but the users that access the
> internet application
> make changes that would need to be replicated back to the
> internal SQL
> server. The  one-way transactional replication scenario
> would not work
> for this app.
>
> >>> thor@xxxxxxxxxxxxxxx 7/1/2004 12:45:24 PM >>>
> http://www.ISAserver.org
>
> To add to the previous (and excellent) points of Shawn and
> The Good Doctor,
> I would *highly* recommend considering populating the DMZ
> with it's own SQL
> server (with proper licensing, or course.)
>
> Any leveraging of SQL injection-type attacks would afford
> an attacker the
> luxury of executing code on a box within your internal
> network.  Further,
> from an authentication standpoint, I would imagine that
> your internal SQL
> box (assuming MS sql) would have to be configured to accept
> Mixed-mode
> authentication (with the ADODB connection strings
> containing user
> credentials) -- a far weaker authentication model than
> NT-based
> authentication -- that or (heaven forbid) you've got shared
> domain
> membership between the DMZ web server's IUSR account for
> the internal
> SQL box to accommodate authentication of the web
> application's requests
> for data.  In either case, a compromise of the web server
> would give an
> attacker credentials that could be used on your internal
> network, as
> well as a direct path (1433) into your network.
>
> A DMZ-based SQL box could be locked down, and the internal
> box could utilize
> one-way transactional replication to the DMZ.  In this
> model, there is no
> static port open to the internal network, there are no
> shared credentials
> (the internal box's replication push would use creds on
> the
> DMZ box and not
> the other way around) and any compromise would leave the
> attacker in the
> DMZ.  Further, the available data on the DMZ box would be
> limited to
> that required by the application.  My bet is that your
> internal SQL box
> has data above and beyond that required by the web app.
>
> Just a thought.
>
> t
>
> ----- Original Message ----- 
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]"
> <isalist@xxxxxxxxxxxxx>
> Sent: Thursday, July 01, 2004 12:24 PM
> Subject: [isalist] RE: Server publishing
>
>
> http://www.ISAserver.org
>
> Hi Shawn,
>
> Good point. With the SQL publishing scenario, the ISA
> firewall isn't
> providing any security (just like the pix).
>
> However, if there are services behind the ISA firewall
> that
> are exposed
> to app layer filtering, I'd keep the dual homed ISA box
> where it is.
>
> Tom
> www.isaserver.org/shinder
> Get the book!
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> -----Original Message-----
> From: Quillman Shawn (RBNA/CSA1) *
> [mailto:Shawn.Quillman@xxxxxxxxxxxx]
> Sent: Thursday, July 01, 2004 2:11 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Server publishing
>
>
> http://www.ISAserver.org
>
>
> Yes.  The only time you can have 1 adapter is when ISA is
> in cache-only
> mode in which situation you can only web publish.  The
> config you show
> doesn't really make sense, the ISA would be redundant.  You
> would just
> publish the SQL server via the internal PIX.  What is it
> you're trying
> to accomplish with the ISA?
>
> -Shawn
>
>
> -----
> Shawn R. Quillman
> Robert Bosch Corporation RBNA/CSA1
> 38000 Hills Tech Drive
> Farmington Hills, MI 48331
> (248) 553-1164 (P) (248) 848-6969 (F)
> shawn.quillman@xxxxxxxxxxxx
>
> -----Original Message-----
> From: nathan [mailto:ncasey@xxxxxxxxxxxxxxxxx]
> Sent: Thursday, July 01, 2004 3:40 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Server publishing
>
> http://www.ISAserver.org
>
> With server publishing, if I publish a SQL server that
> sits
> on the
> internal network, does my ISA server need 2 adapters? The
> SQL server is
> acting as a back-end database server for a Web site which
> is hosted on
> web server in a PIX DMZ.
> If I do need 2 adapters for server publishing can they both
> reside in
> PIX DMZ's? My network security guy wants all incoming
> traffic to go
> trough the PIX firewall
>
> Internet Router
>    (Public IP)
> |
> |
> PIX FIREWALL
> |
> |
>   Web server
> |
> |
> PIX FIREWALL
> *internal Network*
> |
> |
> ISA SERVER
> |
> |
> SQL SERVER
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking:
> http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site:
> http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/
> Network Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax
> Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
> Discussion List as:
> shawn.quillman@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking:
> http://www.windowsnetworking.com
> Leading Network Software Directory:
> http://www.serverfiles.com
> No.1 Exchange Server Resource Site:
> http://www.msexchange.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
> Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking:
> http://www.windowsnetworking.com
> Leading Network Software Directory:
> http://www.serverfiles.com
> No.1 Exchange Server Resource Site:
> http://www.msexchange.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
> Discussion List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>
>
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking:
> http://www.windowsnetworking.com
> Leading Network Software Directory:
> http://www.serverfiles.com
> No.1 Exchange Server Resource Site:
> http://www.msexchange.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
> Discussion List as: ncasey@xxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking:
> http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com No.1
> Exchange
> Server Resource Site: http://www.msexchange.org Windows
> Security
> Resource Site: http://www.windowsecurity.com/ Network
> Security Library:
> http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
> Discussion List as:
> josephk@xxxxxxxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>
> ------------------------------------------------------
> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking:
> http://www.windowsnetworking.com
> Leading Network Software Directory:
> http://www.serverfiles.com
> No.1 Exchange Server Resource Site:
> http://www.msexchange.org
> Windows Security Resource Site:
> http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
> Discussion List as: ncasey@xxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
thor@xxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
>

Other related posts:

• » Server publishing
• » Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing
• » RE: Server publishing

1. Home
2. isalist
3. Archive
4. 07-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---