Welcome to ISAserver.org

Confused with DMZ

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Confused with DMZ

Page: [1]

Message

<< Older Topic Newer Topic >>

Confused with DMZ - 22.May2006 4:35:31 PM

bhavin78

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline

As far as my knowledge about DMZ it's a network where all servers are exposed to internet directly to internet and it makes you internal network secure as nothing from internal network is exposed to internet directly.

I am trying to design a network for our company with only 80 users with two offices in MI (50 users) and PA(30 Users)

Question is where do I put Exchange Server, Terminal Server and Web Server ) I would really like to put them on DMZ as it will be accessed directly from internet. If I put these server on DMZ how will it talk to AD for exchange, how will webserver talk to Sql server for Data and AD for authentication and how will terminal server talk with file server for data and AD for authentication.
Some how I need to create rule for DMZ to talk with internal network , right?
What about exchange? I dont want to put front end exchange on DMZ and backend exchange on internal network as we are small company and cannot afford to pay for licenses, but would like to be secure if other option are available.

Please help me to better understand DMZ?

Post #: 1

Featured Links*

RE: Confused with DMZ - 22.May2006 8:38:59 PM

elmajdal

Posts: 5060
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online

quote:

As far as my knowledge about DMZ it's a network where all servers are exposed to internet directly

u can use a 3 NIC ISA , one external , one DMZ , and one Internal

in this way DMZ will also be protocted by ISA, and u can then PUBLISH ur server to the internet with ISA.

quote:

Some how I need to create rule for DMZ to talk with internal network , right?

Yes.
check this : Allowing Intradomain Communications through the ISA Firewall (2004)

HTH

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to bhavin78)

Post #: 2

RE: Confused with DMZ - 22.May2006 9:07:20 PM

bhavin78

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline

good article. Few more question on security.

Is it secure and good practise to keep my exchange server, terminal server and web server (all three are member server of my domain) on DMZ or are there some other better options?
I have read on few post about not to put exchange on DMZ, I am not talking about FE exchage.

I have 5 web apps which accessed by both internal and external user with SQL database, where should this type of server go and how will both internal and external user can browse it securely.

are we opening any security holes by putting member server on DMZ?

Where do I put ISA Server? Do I put that on my domain?

Please help me clarify this before I start deploying.

(in reply to elmajdal)

Post #: 3

RE: Confused with DMZ - 22.May2006 9:26:29 PM

elmajdal

Posts: 5060
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online

do u have a simple network design ??
is it something like this ?

r u using a 3 NIC ISA or what ??

and yes make ur ISA a Domain Member.

< Message edited by elmajdal -- 22.May2006 9:28:01 PM >

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to bhavin78)

Post #: 4

RE: Confused with DMZ - 22.May2006 9:32:00 PM

bhavin78

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline

with this design outside user has access to DMZ and through some rules they can access data from internal server and with out any security holes?

I want to know why or why not you put exchange, TS and Web server which needs to talk with internal network on DMZ and not internal network. ( this answer would help me understand better).

(in reply to elmajdal)

Post #: 5

RE: Confused with DMZ - 22.May2006 9:46:25 PM

elmajdal

Posts: 5060
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online

remove the idea that servers in ur DMZ are EXPOSED to the outside world.

no they are not to that limit, they are Protocted by ur ISA, u are PUBLISHING them.

and anything i want to publish, i would like to keep it in DMZ.

and then servers in DMZ communicate with Internal Network, using the article i refered previously.

HTH

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to bhavin78)

Post #: 6

RE: Confused with DMZ - 22.May2006 9:51:21 PM

bhavin78

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline

does it make any difference in my case if I dont have DMZ and just put all your servers on internal network?
or
the deisign I have( TS,Exchange(make sure not FE exchange), and WebServer on DMZ is fine and why?

(in reply to elmajdal)

Post #: 7

RE: Confused with DMZ - 22.May2006 9:58:43 PM

elmajdal

Posts: 5060
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online

in the end there no fixed rule for any design.

its up to u to design ur network to suit ur needs .

usually , webservers are located inside DMZ Network, so that in worst case, these servers were hacked , they are far away from ur Internal Network.

sometimes people put there Exchange servers in another Internal Network ( ISA with 1 External and 2 Internal NICs )so that they seperate their vital servers from the clients machines.

i have a client where Exchange and Domain Controllers and DNS server are located on one side, and the wireless users located on the other Internal Network side.

_____________________________

Tarek Majdalani

MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8

(in reply to bhavin78)

Post #: 8

RE: Confused with DMZ - 24.May2006 2:02:08 PM

ITEngineer

Posts: 256
Joined: 3.Feb.2006
Status: offline

quote:

ORIGINAL: bhavin78

does it make any difference in my case if I dont have DMZ and just put all your servers on internal network?
or
the deisign I have( TS,Exchange(make sure not FE exchange), and WebServer on DMZ is fine and why?

It is a best pratice to isolate the servers you need to publish them to the internet in a DMZ Network.

Create a Route Relation between DMZ and Internal
Create a Nat Relation between DMZ and External

(in reply to bhavin78)

Post #: 9

RE: Confused with DMZ - 20.Jan.2007 8:49:18 PM

bhavin78

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline

slowly but surely I made some progress with everyones help here but I am stuck since last three days and trying to figure out the solution. Please help me further.

1)
I have published DMZ WebServer which is not a member of domain. I am not able to access ASP and ASP.Net website from outside, Inside or DMZ. I tried to create a simple website with simple html page and it works fine from all Int, Ext and DMZ. I have created firewall access rule to allow port 1433 from DMZ to Int and all outbound protocol from INT-DMZ. Asp.net website will also have AD authentication and SQL authentication.

2)

What I need to do to make this work?
Error I get: Error Code: 404 Not Found. The requested item could not be located. (12028)
(My Network)
Network Relationship:
Route between DMZ and Internal
NAT between DMZ and External

ISA Configuration:
3 NIC
INT 192.168.100.21: 255.255.255.0 DNS: 192.168.100.16: No Gateway
DMZ 172.16.1.1:      255.255.255.0 No Gateway, NO DNS
EXT 208.x.x.x          255.255.255.0 Gateway 208.x.x.x NO DNS

WebServer
172.16.1.2:      255.255.255.0 Gateway: 172.16.1.1   NO DNS

(in reply to ITEngineer)

Post #: 10

RE: Confused with DMZ - 21.Jan.2007 1:02:45 AM

z_haseeb

Posts: 181
Joined: 15.Jun.2005
From: Karachi,Pakistan
Status: offline

quote:

ORIGINAL: bhavin78

slowly but surely I made some progress with everyones help here but I am stuck since last three days and trying to figure out the solution. Please help me further.

1)
I have published DMZ WebServer which is not a member of domain. I am not able to access ASP and ASP.Net website from outside, Inside or DMZ. I tried to create a simple website with simple html page and it works fine from all Int, Ext and DMZ. I have created firewall access rule to allow port 1433 from DMZ to Int and all outbound protocol from INT-DMZ. Asp.net website will also have AD authentication and SQL authentication.

2)

What I need to do to make this work?
Error I get: Error Code: 404 Not Found. The requested item could not be located. (12028)
(My Network)
Network Relationship:
Route between DMZ and Internal
NAT between DMZ and External

ISA Configuration:
3 NIC
INT 192.168.100.21: 255.255.255.0 DNS: 192.168.100.16: No Gateway
DMZ 172.16.1.1:      255.255.255.0 No Gateway, NO DNS
EXT 208.x.x.x          255.255.255.0 Gateway 208.x.x.x NO DNS

WebServer
172.16.1.2:      255.255.255.0 Gateway: 172.16.1.1   NO DNS

Try this
Make your WEB Server member of domain controller.......Bcuz your ASP.net WEB site need authentication which is not happening bcuz WEB Server is not the member of Domain Controller

_____________________________

MCP, IT ADMINISTRATOR
Interest ISA Server2004

(in reply to bhavin78)

Post #: 11

RE: Confused with DMZ - 21.Jan.2007 2:15:47 PM

bhavin78

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline

I am trying same thing with ASP site which does not require windows authenctication but still requires to access SQL. From DMZ to Internal network 1443 is allowed so I dont see any problem there but I still get the same error.

I want to avoid making DMZ servers member of domain.

(in reply to z_haseeb)

Post #: 12