Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
"Deciding on ISA Scheme" issue
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
"Deciding on ISA Scheme" issue - 24.May2006 4:24:46 PM
|
|
|
techuser
Posts: 70
Joined: 11.Jan.2005
Status: offline
|
Ok, here's my situation:
I have 1 ISA Server 2004 Standard Edition. This server has 2 NIC Cards.
One of these cards is connected right to a CISCO 2600 router.
The other card is connected to the internal network.
Within internal network I also have an Exchange Server, a DNS Server, etc.
First problem:
My boss set a SQL Server, which he wants to use with another public IP address so to be accessed from the outside via Terminal Server.
So he did the following:
From the router you have a UTP cable which is connected to a switch (added by my boss) and from that switch there's another UTP cable to the ISA Server 2004 and another to the SQL Server 2000 (which was added another card for the new WAN IP).
First conclusion:
SQL Server 2000 Server can be acceded from LAN (through ISA) and WAN (with no ISA).
That's to say, this is extremely dangerous since anyone from the outside can vulnerate our LAN through SQL Server.
Am I right?
Then, I think a solution would be demilitarize our ISA Server with another card and add SQL Server to this new DMZ.
This way I'd be accessing both our internal network and our SQL Server at DMZ all through ISA Server.
Is this ok?
Now… if I'm ok upto this I'll have another problem:
The amount of users which will access SQL Server via Terminal Server will be aproximmatelly 20, thus having a low performance on our network.
This way, I think a solution could be having an additional HDSL connection in a different (direct to SQL Server??) place so to not degradate internal network perfomance.
My final question is then:
How do I do to handle both connections having in mind this new scheme using ISA Server with DMZ and Internal Network without having any problem at all with the performance from internal network and SQL being able to be accessed from inside and outside and at the same time protected by ISA Server.
Is this possible?? Hope you can help me figure out this scheme.
Marcelo.
< Message edited by techuser -- 24.May2006 4:30:17 PM >
|
|
|
|
|
RE: "Deciding on ISA Scheme" issue - 25.May2006 3:37:24 PM
|
|
|
tshinder
Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Marcelo,
First problem:
My boss set a SQL Server, which he wants to use with another public IP address so to be accessed from the outside via Terminal Server.
So he did the following:
From the router you have a UTP cable which is connected to a switch (added by my boss) and from that switch there's another UTP cable to the ISA Server 2004 and another to the SQL Server 2000 (which was added another card for the new WAN IP).
First conclusion:
SQL Server 2000 Server can be acceded from LAN (through ISA) and WAN (with no ISA).
That's to say, this is extremely dangerous since anyone from the outside can vulnerate our LAN through SQL Server.
Am I right?
TOM: You are correct that this is a terrible situation. The SQL server may have already been compromised at this point.
Then, I think a solution would be demilitarize our ISA Server with another card and add SQL Server to this new DMZ.
TOM: not a bad idea.
This way I'd be accessing both our internal network and our SQL Server at DMZ all through ISA Server.
Is this ok?
TOM: Yes.
Now… if I'm ok upto this I'll have another problem:
The amount of users which will access SQL Server via Terminal Server will be aproximmatelly 20, thus having a low performance on our network.
TOM: RDP isn't that bandwidth intensive.
This way, I think a solution could be having an additional HDSL connection in a different (direct to SQL Server??) place so to not degradate internal network perfomance.
TOM: Do you think that RDP is that bandwidth intensive? Remember, only compressed images are being sent, not data.
My final question is then:
How do I do to handle both connections having in mind this new scheme using ISA Server with DMZ and Internal Network without having any problem at all with the performance from internal network and SQL being able to be accessed from inside and outside and at the same time protected by ISA Server.
TOM: I really don't think that you'll see that much of a performance hit.
Is this possible?? Hope you can help me figure out this scheme.
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: "Deciding on ISA Scheme" issue - 25.May2006 4:23:34 PM
|
|
|
techuser
Posts: 70
Joined: 11.Jan.2005
Status: offline
|
I got all points. I'll begin moving SQL Server into a safe DMZ this weekend.
What I still don't get about this issue is:
How can people from outside connect via Terminal Server to this SQL Server at DMZ?
Actually, I connect to my turned on PC this way:
1. I connect ISA Server IP address with Terminal Server. This means my ISA Server has Terminal Server installed.
2. Then I connect my PC with RDC "from" ISA Server.
I can handle this scenario well cause it's me but... in the case 20 pc's will connect SQL Server... I don't want them to connect first to ISA Server, go to Start, go to RDC and then connect to DMZ SQL Server.
I think there should be a way to connect via Terminal Server directly to SQL Server, am I right? Then that's my final question. How do you do this?
Thanks Tom!
Marcelo.
|
|
|
|
|
RE: "Deciding on ISA Scheme" issue - 30.May2006 2:02:47 PM
|
|
|
tshinder
Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Marcelo,
OK, the SQL server is in the DMZ.
Where are the clients? Internal? External?
What are the Network Rules for:
Internal --> DMZ
DMZ --> External
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: "Deciding on ISA Scheme" issue - 30.May2006 2:36:20 PM
|
|
|
techuser
Posts: 70
Joined: 11.Jan.2005
Status: offline
|
The clients for SQL will be internal and external.
I'll have:
Internal --> DMZ
DMZ --> External
I still couldn't make it work. But that will be the scheme.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
