Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Webserver in DMZ---->SQL-->AD

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Webserver in DMZ---->SQL-->AD Page: [1]
Login
Message << Older Topic   Newer Topic >>
Webserver in DMZ---->SQL-->AD - 19.Jan.2007 11:09:45 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		I have published DMZ WebServer which is not a member of domain. I am not able to access ASP and ASP.Net website from outside, Inside or DMZ. I tried to create a simple website with simple html page and it works fine from all Int, Ext and DMZ. I have created firewall access rule to allow port 1433 from DMZ to Int and all outbound protocol from INT-DMZ. Asp.net website will also have AD authentication and SQL authentication.
What I need to do to make this work?
Error I get: Error Code: 404 Not Found. The requested item could not be located. (12028)
(My Network)
Network Relationship:
Route between DMZ and Internal
NAT between DMZ and External

ISA Configuration:
3 NIC
INT 192.168.100.21: 255.255.255.0 DNS: 192.168.100.16: No Gateway
DMZ 172.16.1.1:      255.255.255.0 No Gateway, NO DNS 
EXT  208.x.x.x          255.255.255.0 Gateway  208.x.x.x NO DNS

WebServer
172.16.1.2:      255.255.255.0  Gateway: 172.16.1.1   NO DNS 
Post #: 1
RE: Webserver in DMZ---->SQL-->AD - 20.Jan.2007 7:51:06 AM   
z_haseeb

 

Posts: 183
Joined: 15.Jun.2005
From: Karachi,Pakistan
Status: offline
quote:

ORIGINAL: bhavin78

I have published DMZ WebServer which is not a member of domain. I am not able to access ASP and ASP.Net website from outside, Inside or DMZ. I tried to create a simple website with simple html page and it works fine from all Int, Ext and DMZ. I have created firewall access rule to allow port 1433 from DMZ to Int and all outbound protocol from INT-DMZ. Asp.net website will also have AD authentication and SQL authentication.
What I need to do to make this work?
Error I get: Error Code: 404 Not Found. The requested item could not be located. (12028)
(My Network)
Network Relationship:
Route between DMZ and Internal
NAT between DMZ and External

ISA Configuration:
3 NIC
INT 192.168.100.21: 255.255.255.0 DNS: 192.168.100.16: No Gateway
DMZ 172.16.1.1:      255.255.255.0 No Gateway, NO DNS 
EXT  208.x.x.x          255.255.255.0 Gateway  208.x.x.x NO DNS

WebServer
172.16.1.2:      255.255.255.0  Gateway: 172.16.1.1   NO DNS 



What you are trying to say that WEB Server is not the member of Domain? or at one place you are saying that ASP.Net (ASP.Net web site is on WEB Server which is in DMZ) will also have AD authentication...what basically you are trying to say 

(in reply to bhavin78)
Post #: 2
RE: Webserver in DMZ---->SQL-->AD - 20.Jan.2007 1:09:24 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		Yes you are right. Right now asp.net site with AD authentication and few other site with sql authentication and few site with basic authentication are on on webserver which is a member of domain. I want to move all my website accessible from internet to dmz.
Let say If I keep asp.net site with AD authentication on internal network but what about all other sites which needs to access sql and those sites are configured to authenticate sql using AD account.

I am looking for suggestion.
Right now I have already copied one site from internal to dmz but I am not able to access that from anywhere. I am not sure why.
I also tried to creat a new plain site with only .htm page and works fine from anywhere.

(in reply to z_haseeb)
Post #: 3
RE: Webserver in DMZ---->SQL-->AD - 21.Jan.2007 12:41:43 AM   
z_haseeb

 

Posts: 183
Joined: 15.Jun.2005
From: Karachi,Pakistan
Status: offline 		HI......

Your Senerio
asp.net site with AD authentication
few other site with sql authentication
few site with basic authentication

The Above site are on a WEB Server which is a member of Domain Controller and this WEB Server is in the DMZ.
 
Your Need
Your need is to browse all above 3 sites from External also from Internal

TRY THIS
1.) Your AD must be in DMZ OR if not in DMZ  and if in Internal (thn must Make 2 Access Rule between Web Server TO AD and SQL TO AD)
2.) Your WEB Server must be in DMZ
3.) If you have SQL on WEB Server or on a Independent Machine it also must be in DMZ
4.) Publish your WEB Server with Publishing Rule. It will definately Access from External (because when the users come from outside/External they can authenticate from AD or SQL because the AD or SQL is on the same Network)
5.) Make a Access Rule for Internal Users for AD
6.) Make a Acccess Rule for Internal Users for WEB Server (if you need that your internal users browse the WEB Server)
7.) Make a Access Rule for Internal Users for SQL (if you need that your internal users browse the SQL Server)   



< Message edited by z_haseeb -- 21.Jan.2007 1:54:00 AM >

_____________________________

MCP, IT ADMINISTRATOR
Interest ISA Server2004

(in reply to bhavin78)
Post #: 4
RE: Webserver in DMZ---->SQL-->AD - 21.Jan.2007 2:26:46 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
quote:

Your Senerio
Let's try and make site with basic authentication work.

1.) Your AD must be in DMZ OR if not in DMZ and if in Internal (thn must Make
cannot put AD on DMZ. Want to make very secure network
2.) Your WEB Server must be in DMZ
Yes it's in DMZ but not member of domain.
3.) If you have SQL on WEB Server or on a Independent Machine it also must be in DMZ
SQL is not on webserver. It's by itself on Internal network. I have access rule from dmz to internal which allows port 1443 for SQL.
4.) Publish your WEB Server with Publishing Rule. It will definately Access from External (because when the users come from outside/External they can authenticate from AD or SQL because the AD or SQL is on the same Network)
I have used web publishing rule.

(in reply to z_haseeb)
Post #: 5
RE: Webserver in DMZ---->SQL-->AD - 22.Jan.2007 1:30:12 AM   
z_haseeb

 

Posts: 183
Joined: 15.Jun.2005
From: Karachi,Pakistan
Status: offline 		your 1st point is not cleared.

2nd point : Dude if your Web Server is not the member of Domain Controller thn how the Authentication process happen bcuz as you said that ""Asp.net website will also have AD authentication and SQL authentication.""
so make a access rule from Web Server to AD and make Web Server the member of AD.

3rd point: your SQL is also in INTERNAL and you made a access rule. Its good.

4th point: you have already published WEB Server its nice but think if your request of outside will come to Web Server, request will definately authenticate by AD(bcuz you said that request "of ASP.net"need AD authentication) and when your Web Server will not the member of AD then how its possible that your outside client can browse the site/Web Server without authentication......

if you are not in the mood(plz no hard feeling) to accept my suggestion thn let try one thing make a normal ASP.net site(not Html) without any authentication of any AD or SQL thn access it from outside/External, it will definately accessed by External

_____________________________

MCP, IT ADMINISTRATOR
Interest ISA Server2004

(in reply to bhavin78)
Post #: 6
RE: Webserver in DMZ---->SQL-->AD - 22.Jan.2007 6:52:44 AM   
Boedus

 

Posts: 146
Joined: 8.Sep.2006
Status: offline 		It is usually not recommended to also host the database backend in the DMZ.
The web frontend in the DMZ that's fine.

I guess your web server is providing some web application for customers, providers, in that case this should be using a separate AD, not the company one. In that case, why not having the AD Server (s) in the DMZ, but usually it is better internally.

If your web server provides services to internal users (Employes), definitly no AD Server in the DMZ.

_____________________________

WWW.ITCREME.COM - Online I.T. community
---------------------------------------------------------------------
As Jim Harrison use to say: "If we can't fix it, it ain't broken".

(in reply to z_haseeb)
Post #: 7
RE: Webserver in DMZ---->SQL-->AD - 22.Jan.2007 10:28:33 AM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		Z_Haseeb,Boedus
 I agree with what both of you said. I am not ignoring your suggestion. Just try to understand what you mean to say. I dont want want to publish web apps which requires AD Authentication. I am trying asp.net apps without AD authentication and still get same error. But web apps still needs to authenticate sql server using sql authentication which is hard coded into application.

Thanks for all your help

(in reply to Boedus)
Post #: 8
RE: Webserver in DMZ---->SQL-->AD - 22.Jan.2007 10:36:26 AM   
Boedus

 

Posts: 146
Joined: 8.Sep.2006
Status: offline 		I am having the same issue as you with some ongoing projects.
I can not run ASPX pages from an IIS server where ISA is installed.
It keeps telling me "Page Cannot Be Found".

I am trying to fix it and I am looking around to find a solution

Maybe somebody knows ?

_____________________________

WWW.ITCREME.COM - Online I.T. community
---------------------------------------------------------------------
As Jim Harrison use to say: "If we can't fix it, it ain't broken".

(in reply to bhavin78)
Post #: 9
RE: Webserver in DMZ---->SQL-->AD - 22.Jan.2007 9:22:55 PM   
bhavin78

 

Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline 		I just got that to work.
for my webpages (.asp and .net site), I was using name of sql server in connection string, I changed it to IP address and is now working. I guess it's a name resolution issue which i need to work on. Mark helped me to figure this out on my other post.
http://forums.isaserver.org/m_2002032792/mpage_1/key_/tm.htm#2002032792 
Thanks Mark
I still have issue with virtual directory. I have already posted this on other site.

I have one default website on my server
under default website I have five virtual directory (one, two, three, four and five).
How can I access this using one.company.com, two.company.com etc? Right now i can access this using url one.company.com/one and so on.
I tried link translation to replace http://one.company.com to http://one.company.com/one but didn't work.

I can make this work from IIS but will only work for one site and I dont think thats right way to do it. z_haseeb  any thoughts on how to make this work?

Thanks everyone for your help.

< Message edited by bhavin78 -- 22.Jan.2007 9:26:05 PM >

(in reply to Boedus)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Webserver in DMZ---->SQL-->AD Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts