Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Web Server on my DMZ

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> Web Server on my DMZ Page: [1]
Login
Message << Older Topic   Newer Topic >>
Web Server on my DMZ - 25.Jun.2002 8:53:00 PM   
gdberry

 

Posts: 10
Joined: 13.Feb.2002
From: Malvern, PA
Status: offline 		Here's the Scenario.

Internet
207.8.215.161
255.255.255.240
|
|
207.8.215.162 172.16.1.1 172.16.1.3
255.255.255.240 255.255.255.0 255.255.255.0
ISA Server ---------DMZ------------WebServer
192.168.2.23
255.255.255.0
|
|
Internal Network -----------------Intranet Server
192.168.2.20 192.168.2.42
255.255.255.0 255.255.255.0
|
|
Outlook Web Access
192.168.2.22
255.255.255.0

Coming in from the Internet to either the Outlook Web Access server or the Intranet Server is VERY fast. Going to the DMZ for the other Web Server is extremely slow.

Any ideas as to why access to my DMZ webserver is so slow? It works, it just draaaaaaggggggsssss! "[Confused]"
Post #: 1
RE: Web Server on my DMZ - 25.Jun.2002 10:07:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Jerry,

the DMZ subnet 172.16.1.0/24 has a none routable IP-range. In a tri-homed DMZ scenario, the DMZ should have public IP's. For more info about the different DMZ scenario's, check out:
- http://www.isaserver.org/pages/articles.asp?art=37
- http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2Fwc110801%2Fwcblurb110801%2Easp

HTH,
Stefaan

(in reply to gdberry)
Post #: 2
RE: Web Server on my DMZ - 25.Jun.2002 11:00:00 PM   
gdberry

 

Posts: 10
Joined: 13.Feb.2002
From: Malvern, PA
Status: offline 		Okay here's the deal.

I redid the internal IP address range to be a subnet of our ISP range.

ISP 207.8.215.160-->174 255.255.255.240

is split internally on the DMZ to be

207.8.215.160-->168 255.255.255.248
207.8.215.169--174 255.255.255.248

169 is the host for internal DMZ and 170 and 171 are for our webservers.

I have a request into our ISP for our DNS to include the "A" record for 207.8.216.170 for our Website. I am hoping that this will increase the speed to the Website.

Thoughts? [Roll Eyes]

(in reply to gdberry)
Post #: 3
RE: Web Server on my DMZ - 25.Jun.2002 11:13:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Jerry,

if you split your /28 subnet to two /29 subnets, shouldn't the IP ranges go from .160 - .167 and .168 - 175 ?

Also, make sure that in your ISP router there is a static route for the DMZ subnet pointing to the ISA external interface.

HTH,
Stefaan

(in reply to gdberry)
Post #: 4
RE: Web Server on my DMZ - 25.Jun.2002 11:32:00 PM   
gdberry

 

Posts: 10
Joined: 13.Feb.2002
From: Malvern, PA
Status: offline 		Yes, it would be to 175, but that is an unusable address, as is 160.

Please explain why I would need a static route on the ISP router, if in fact it should know about the address range.

So, i would need a route such as this?
route 207.8.215.168 mask 255.255.255.248 207.8.215.161

(in reply to gdberry)
Post #: 5
RE: Web Server on my DMZ - 26.Jun.2002 12:02:00 AM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Jerry,

in general the lowest and the highest IP-address in any subnet is not usuable. They mean respectively 'this net' and 'subnet broadcast'.

If the subnet 207.8.215.160/29 is used for the connection ISA External interface - ISP router, then the ISP router will also have a /29 subnet for this interface. So, if you don't tell him how to route the subnet 207.8.215.168/29, he will assume it is on the Internet, not on your DMZ.

Your route command seems to be OK. Of course the exact syntax will depend on the excact type of router. [Big Grin]

HTH,
Stefaan

(in reply to gdberry)
Post #: 6
RE: Web Server on my DMZ - 26.Jun.2002 3:17:00 AM   
Kirill

 

Posts: 205
Joined: 26.Sep.2001
Status: offline 		Hey Stefaan,
Too bad ISA doesn't run OSPF, eh? [Big Grin]

(in reply to gdberry)
Post #: 7
RE: Web Server on my DMZ - 26.Jun.2002 5:57:00 AM   
gdberry

 

Posts: 10
Joined: 13.Feb.2002
From: Malvern, PA
Status: offline 		Okay, so I got the route command in, the DMZ is up and the website is super fast.

Problem:

My Database is in my Internal Network. So, I have to use a Packet Filter to get to it?
Okay, so what's the syntax!??

[Razz]

(in reply to gdberry)
Post #: 8
RE: Web Server on my DMZ - 26.Jun.2002 6:39:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Jerry,

ok, first problem solved! [Wink]

No, you don't need packet filters to give your DMZ webserver access to the database server on the internal network. What you need to do is server publishing your database server on the DMZ interface.

HTH,
Stefaan

(in reply to gdberry)
Post #: 9
RE: Web Server on my DMZ - 26.Jun.2002 8:21:00 PM   
gdberry

 

Posts: 10
Joined: 13.Feb.2002
From: Malvern, PA
Status: offline 		Okay, so how do I open ports TO the DMZ from internal? I need to get to the machine to like, publish the website, retreive logs, utilize VNC and the like. Total access from internal.

How to???? [Confused] [Confused] [Eek!]

(in reply to gdberry)
Post #: 10
RE: Web Server on my DMZ - 26.Jun.2002 10:53:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Jerry,

that's a lot of questions. [Wink]

You must definitely buy and read Tom's book. Check out http://www.amazon.com/exec/obidos/ASIN/1928994296/isaserver/.

Hosts on the DMZ subnet are considered external hosts (not in the LAT), just as hosts on the Internet. So, from the point of view of the internal network, you can treat the DMZ interface as another External interface. This means:

1) for hosts on the DMZ segment to reach internal resources, you need to publish the internal resources on the DMZ interface.

2) for hosts on the internal network to reach resources on the DMZ segment, you use the regular protocol and site&content rules.

Now, when you need *full* access from internal to the DMZ hosts, regardless of the used protocols, it might be better to place the web server on the internal network and web publish him. It is up to you to choose the best solution for your specific environment. [Big Grin]

HTH,
Stefaan

(in reply to gdberry)
Post #: 11
RE: Web Server on my DMZ - 27.Jun.2002 7:04:00 AM   
gdberry

 

Posts: 10
Joined: 13.Feb.2002
From: Malvern, PA
Status: offline 		Yes, I have ordered the book!

I'm almost there, believe it or not! [Cool]

(in reply to gdberry)
Post #: 12
RE: Web Server on my DMZ - 27.Jun.2002 10:03:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Jerry,

good to hear that! [Smile]

Cheers,
Stefaan

(in reply to gdberry)
Post #: 13
RE: Web Server on my DMZ - 28.Jun.2002 6:59:00 PM   
gdberry

 

Posts: 10
Joined: 13.Feb.2002
From: Malvern, PA
Status: offline 		Still trying to use protocol/site rules to open ports to the Webserver on the DMZ. I need to be able to get to the drives to pull down the log files.

Any ideas? [Confused]

(in reply to gdberry)
Post #: 14
RE: Web Server on my DMZ - 28.Jun.2002 8:36:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Jerry,

are you trying to access files on the DMZ hosts through file sharing (SMB protocol)? That seems a very insecure way of doing business. A better approach is to use FTP to pull those logfiles from the DMZ hosts.

HTH,
Stefaan

(in reply to gdberry)
Post #: 15
RE: Web Server on my DMZ - 28.Jun.2002 9:31:00 PM   
gdberry

 

Posts: 10
Joined: 13.Feb.2002
From: Malvern, PA
Status: offline 		Actually, I was looking to use Frontpage to publish to the website. I can always use FTP to pull the logs.

How does one get Frontpage to work to a website on the DMZ?

(in reply to gdberry)
Post #: 16
RE: Web Server on my DMZ - 28.Jun.2002 11:20:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Jerry,

I never used Frontpage, so I don't know the tricks to get it to work through ISA. [Big Grin]

At my company they use Frontpage to maintain the 'master' websites on the internal network and they always use FTP to upload the changes to the real web sites.

HTH,
Stefaan

(in reply to gdberry)
Post #: 17
RE: Web Server on my DMZ - 1.Jul.2002 11:12:00 PM   
gdberry

 

Posts: 10
Joined: 13.Feb.2002
From: Malvern, PA
Status: offline 		Okay, then another question that may fit.

How do I allow a web browser access to the Internet from the DMZ machine?

(in reply to gdberry)
Post #: 18
RE: Web Server on my DMZ - 2.Jul.2002 12:21:00 AM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Jerry,

have you already done a search on 'FrontPage' in the forums? Maybe you can find there the answer to your FrontPage question.

Now, you have two options to allow web access from DMZ hosts:

1) the standard way is to create the necessary outbound packet filter (TCP port 80 outbound).

2) server publish the outgoing web proxy listener.
Create a protocol definition for TCP port 8080 inbound.
Next, create a server publishing rule with:
- IP address of internal server = ISA internal interface
- External IP address on ISA server = DMZ interface
- mapped server protocol = just created protocol definition
Check with 'netstat -an' if there is a listener on the DMZ interface for TCP port 8080.
Next, setup the browser on the DMZ host to use the DMZ interface port 8080 as proxy server.

BTW --- is this some sort of exam? [Big Grin]

HTH,
Stefaan

(in reply to gdberry)
Post #: 19
RE: Web Server on my DMZ - 2.Jul.2002 4:17:00 AM   
tshinder

 

Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Stefaan,

Thanks for recommending the book! [Big Grin]

Tom

quote:
Originally posted by spouseele:
Hi Jerry,

that's a lot of questions. [Wink]

You must definitely buy and read Tom's book. Check out http://www.amazon.com/exec/obidos/ASIN/1928994296/isaserver/.

Hosts on the DMZ subnet are considered external hosts (not in the LAT), just as hosts on the Internet. So, from the point of view of the internal network, you can treat the DMZ interface as another External interface. This means:

1) for hosts on the DMZ segment to reach internal resources, you need to publish the internal resources on the DMZ interface.

2) for hosts on the internal network to reach resources on the DMZ segment, you use the regular protocol and site&content rules.

Now, when you need *full* access from internal to the DMZ hosts, regardless of the used protocols, it might be better to place the web server on the internal network and web publish him. It is up to you to choose the best solution for your specific environment. [Big Grin]

HTH,
Stefaan

(in reply to gdberry)
Post #: 20

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> DMZ >> Web Server on my DMZ Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts