• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

laptops in DMZ need corporate lan access

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> DMZ >> laptops in DMZ need corporate lan access Page: [1]
Login
Message << Older Topic   Newer Topic >>
laptops in DMZ need corporate lan access - 26.Dec.2010 1:39:23 PM   
luiscarvalho

 

Posts: 31
Joined: 23.Nov.2001
From: portugal
Status: offline
Hi,

we have a few laptop computers in our wirelees DMZ, which are domain joined, that need to access the corporate LAN.

can anyone give me a few pointers on how to accomplish this? Do I need a split dns structure?

thanks!
Post #: 1
RE: laptops in DMZ need corporate lan access - 27.Dec.2010 11:50:24 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

laptops are on wireless DMZ and are domain joined? Can I ask why?

What kind of LAN access they need?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to luiscarvalho)
Post #: 2
RE: laptops in DMZ need corporate lan access - 27.Dec.2010 11:57:39 AM   
luiscarvalho

 

Posts: 31
Joined: 23.Nov.2001
From: portugal
Status: offline
Hi,

so that they can be managed - i.e wsus , group policies, SCOM etc..
also, theys are shared by different people on the organization that have domain accounts. The last thing i would want, was to create local accounts on those laptops - a management nightmare...

thanks!

(in reply to paulo.oliveira)
Post #: 3
RE: laptops in DMZ need corporate lan access - 27.Dec.2010 12:01:55 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

why not place them on LAN?

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to luiscarvalho)
Post #: 4
RE: laptops in DMZ need corporate lan access - 27.Dec.2010 12:20:56 PM   
luiscarvalho

 

Posts: 31
Joined: 23.Nov.2001
From: portugal
Status: offline
Hi,

our wireless is a dmz by design. Connecting them to LAN by wire we take away mobility from them. Creating a wireless attached to our LAN, it´s outside the budget.

thanks!

(in reply to paulo.oliveira)
Post #: 5
RE: laptops in DMZ need corporate lan access - 27.Dec.2010 12:33:11 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

OK. Give them LAN access IMO will take down some of DMZ concepts. Anyway, you´ll need to create access rules on ISA to specific servers and protocols they´ll need, in order to you manage them.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to luiscarvalho)
Post #: 6
RE: laptops in DMZ need corporate lan access - 27.Dec.2010 12:43:02 PM   
luiscarvalho

 

Posts: 31
Joined: 23.Nov.2001
From: portugal
Status: offline
these are just 2 laptops.

What about the dns split domain structure? do i need to create a zone on the on the dns server bound to the dmz interface mirroring our internal domain with records poiting to to the lan machines?

also, for AD authentication purposes , which protocols do i need to allow?

thanks,

(in reply to paulo.oliveira)
Post #: 7
RE: laptops in DMZ need corporate lan access - 27.Dec.2010 1:54:43 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

this might help you: http://blog.msfirewall.org.uk/2009/02/resource-guide-for-microsoft-active.html

http://www.isaserver.org/tutorials/2004wirelessdmzpart1.html

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to luiscarvalho)
Post #: 8
RE: laptops in DMZ need corporate lan access - 27.Dec.2010 3:43:47 PM   
luiscarvalho

 

Posts: 31
Joined: 23.Nov.2001
From: portugal
Status: offline
Thank you!

(in reply to paulo.oliveira)
Post #: 9
RE: laptops in DMZ need corporate lan access - 8.Feb.2011 1:24:28 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

our wireless is a dmz by design. Connecting them to LAN by wire we take away mobility from them. Creating a wireless attached to our LAN, it´s outside the budget.


That isn't true.
1. It is a bad design. Domain members on a DMZ means it is no longer a DMZ.  It just becomse a LAN segment crippled by a NAT Relationship.
2. They are not going to "lose mobility" either way
3. Budget - It doesn't cost anything to simply plug a patch cable into a different spot to move the WAP into the LAN segment.

_____________________________

Phillip Windell

(in reply to luiscarvalho)
Post #: 10
RE: laptops in DMZ need corporate lan access - 23.Feb.2011 10:34:51 AM   
stainless.steelrat

 

Posts: 7
Joined: 8.Nov.2006
Status: offline
So I have a similar question....

Current configuration for the network is:

DSL Modem -> Linksys Router (with WiFi) -> ISA External -> Internal ISA (rest of the network is wired behind).

This current setup has worked, where if wireless access devices require internal resources, they just vpn. However, there's been some additions, including iphones, and other smart phones. Plus some of the network enabled audio devices.

I want to move the WAP to somewhere where I can get more access, either on a new decidated DMZ segment, or potentially if necessary internally. I need to allow access to some of the other DLNA devices wired on the internal lan, over wireless....

Suggestions?

I've been reading through the DMZ configuration articles, since that was my first thought.

Initially, the configuration was to deal with the ISA 2000, dialer issues with DSL, so that's why the linksys is sitting out in front. And of course, with the wonders of the original wifi security. <G>

(in reply to pwindell)
Post #: 11
RE: laptops in DMZ need corporate lan access - 23.Feb.2011 10:41:24 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
You need to post your own separate question in your own thread that you start.

But a "quickie" answer would be to add another WAP (that is just a "straight" Access Point) to either the LAN or a DMZ and leave the Wireless NAT Device where it already is.

< Message edited by pwindell -- 23.Feb.2011 10:43:18 AM >


_____________________________

Phillip Windell

(in reply to stainless.steelrat)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> DMZ >> laptops in DMZ need corporate lan access Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts