ISA/DMZ/DNS/ (Full Version)

All Forums >> [ISA Server 2000 General] >> General


george -> ISA/DMZ/DNS/ (11.Apr.2001 5:41:00 AM)

Hi everyone, I'm just needing of some clarifying with ISA/DMZ/DNS and how it
handles internet request if we have a DMZ zone setup. We're planning on
deploying ISA in a back to back set, in this setup we would like to put a
bunch of Web servers, an FTP server, and down the road a mail servers all of these servers of course would have a public IP addresses and registered each IP for proper
name resolutions. The only question that is still bugging me do I need to register the IP address on my ISA that is directly connected to the internet with those hostname in the DMZ zone so it would "listen" for those kind of
request and properly route to them to the appropriate server in the DMZ

simond -> RE: ISA/DMZ/DNS/ (11.Apr.2001 2:23:00 PM)


I have recently build (and torn apart again) a similar sceanario to the one you are describing, except I was using a three homed perimeter network configuration.

You could do it two ways:
1. Use packet filtering (static firewall) instead of dynamic (server publishing) - then the ISA server would only have one public / internet IP address. Configure the router that is upstream of the ISA server so that it has a default route to the subnet that is in the DMZ, through the ISA server. Configure Packet Filters on the ISA server to allow the protocols through that are used by the servers in the DMZ. In this configuration the ISA server is acting as a kind of router, and all the servers in the DMZ must have public addresses.

2. Use server publishing rules, or Dynamic filtering. You can use private addresses in the DMZ (they are never actually made visible to the internet) - configure server publishing rules (as per Tom S's artical) - and yes, you will need to add enough addresses to the ISA servers internet side interface to support the different servers in the DMZ. You only need one IP address per service that you are offering though - so if you've got two SMTP servers in there, you'll need two IP addresses registered, but if you then want to offer HTTP, you can use one of the existing ones, as you are listening for a different port, and can use that to make the mapping, instead of the IP address.

I hope that all makes sense? One last thing, I did mention that I tore the DMZ config down again - reason: if you want to use MS Exchange in the DMZ, or you need NT / AD authentication on the webservers, you'll come up with two options, both of which are VERY insecure:
* Punch holes in the the firewall with packet filters to support NT / Win2k authenication / RPC / LDAP / NBT / etc... between the servers in the DMZ and your Domain Controllers (inside the LAN) -- Why is this bad - you need to open so many ports through your LAN firewall, it may as well not be there.


* If you are using Win2K - put a DC in the DMZ that is in a different site to the rest of the organisation, and use SMTP intersite communication. Then add a packet filter through your LAN side firewall to allow communication through port 25 through.
-- Why is this bad? Having a DC in your DMZ seems like a really bad idea. Although, if you were using server publishing rules, and private addresses to publish your server like this, it might not be too bad as the only services visable are ones that are explicitly defined in the publishing rules.

Does this answer any questions, or just raise more!


tshinder -> RE: ISA/DMZ/DNS/ (11.Apr.2001 6:56:00 PM)

Hi Simon,

Very nice description of the options for setting up a DMZ.

For the back to back DMZ config, I must prefer using private IP addresses and then publishing the services on the DMZ segment. This is must more secure the routed approach used when using public IP addresses on the DMZ segment.

However, I do see your concern about making the internal network domain controller accessible to the Exchange Server on the DMZ segment. However, you can publish the DC on the internal segment and allow access only to the Exchange Server on the DMZ segment. Or you can create a separate domain on the DMZ segment and create a one-way trust.

Thanks for the good work!


Tom Shinder

simond -> RE: ISA/DMZ/DNS/ (11.Apr.2001 8:50:00 PM)

.. fair point about the one way trust.

I did have a go at publishing the internal DC to the perimeter network, but came up against real problems identifying all the ports that were required to make all the services work correctly.

After a re-think I decided that as we were only using Exchange for POP3 / SMTP / Outlook Web Access, and not RPC, it would be easier to put both DC and MSX servers on the internal LAN, and publish the mail services / HTTP through the firewall instead.


george -> RE: ISA/DMZ/DNS/ (12.Apr.2001 3:17:00 AM)


Thanks for the respond, I just need one confirmation from your explanation and I'm quoting you here.

"you will need to add enough addresses to the ISA servers internet side interface to support the different servers in the DMZ"

This tells me a couple of things, first, instead of having one public IP on the internet NIC of my 1st ISA I also add the public IP's of my DMZ servers in this NIC. So this NIC will have more than one public IP address to it?

and the other thing, won't there be any IP conflicts if I add more than one IP between the 1st ISA nic and the DMZ servers that is actually have this address?

jasonb54 -> RE: ISA/DMZ/DNS/ (12.Apr.2001 4:08:00 AM)


You would assign private addresses to the servers in the DMZ. The public IPs you would add to the External interface on the ISA server, this will allow you to establish one-to-one NAT for the particular services you are publishing on each box in the DMZ.


george -> RE: ISA/DMZ/DNS/ (12.Apr.2001 6:12:00 AM)


Thanks for the respond, according to the documentation and I think it's from MS, all servers in the DMZ zone will need to have a public IP address. Anyways, I guess only one way to find out is to try it.

On my back to back setup, how about the second ISA that is connected to my internal LAN? do I also assign a private address to both NIC's and implement routing?

george -> RE: ISA/DMZ/DNS/ (12.Apr.2001 7:29:00 AM)

Tom and to everyone that would like to add to my setup, please download the document and upload it back. you can find the diagram at

just and cut paste the link and it will open the diagram in your browser, edit it, add to it and send it to me at

simond -> RE: ISA/DMZ/DNS/ (12.Apr.2001 2:23:00 PM)

I couldn't get that link to work (got a time out error from iDrive?)

..but, you only need public addresses in the DMZ if you are using the Static Firewall model, i.e. using Packet Filters. If you use the Dynamic filters (server publishing) you are using NAT to hide the private addresses in your DMZ.

Re your LAN side ISA server, that can have private addresses on both it's NIC's, but they will need to be in different subnets. So your scheme might look like this

*** - / /
| ISA Server 1 (internet / DMZ border)
*** -
| webserver mail
| ___ ___
| | |
|------------------------------------------ (DMZ network
*** -
| ISA (DMZ / internal LAN border)
*** -
|------------------------------------------ (Internal LAN network

So the webserver may be published as mapping to and the mail server by mapping to

Does that help?

Cheers (and I hope the diagram works in the post!)

Page: [1]