Welcome to ISAserver.org

RE: ISA server with 3 NIC problem !

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> General >> RE: ISA server with 3 NIC problem !

Page: << < prev 1 [2]

Message

<< Older Topic Newer Topic >>

RE: ISA server with 3 NIC problem ! - 18.Jun.2002 11:18:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi dpeters,

you said "A DMZ IS NOT FOR PUBLISHING SERVERS BECAUSE THAT WOULD DEFEAT THE WHOLE POINT OF A DMZ". That's *not* in http://support.microsoft.com/default.aspx?scid=kb;en-us;Q299959 . That Q-article is talking about a mail service running on ISA itself and bound to the DMZ adapter. That's something completely different then publishing an internal resource on the DMZ interface!

Let's take two reallife DMZ scenario's:

1) I want a secure mail relay server in the DMZ. After anti-spamm checking, content checking, virus scanning, etc. the 'cleaned' emails must be forwarded to an internal mail server.

2) I have a web application on a web server in the DMZ that needs to access a SQL database on the internal network.

How do you think you can make this work in the proper way? Yes, by publishing the internal resources onto the DMZ interface and make them only accessable for the intended frontend servers in the DMZ.

BTW --- I have ISA installations running with 5 interfaces: one external, one internal and three DMZ interfaces. Two of them are further connected to a partner site. This is all working without any problem. [Razz]

HTH,
Stefaan

[ June 18, 2002, 11:20 PM: Message edited by: spouseele ]

(in reply to tsorin)

Post #: 21

Featured Links*

RE: ISA server with 3 NIC problem ! - 19.Jun.2002 12:47:00 AM

dpeters

Posts: 66
Joined: 7.Jun.2002
Status: offline

DMZ'z are an obscure idea that was never really formalized. Personally, I think they cause more confusion than they are worth, but if you read about them you'll see that the concensus is that they are formed by using routers or application proxy firewalls to form a seperate subnet that is only accessible by the firewall or application proxy NOT the outside world. Packets CAN get into the DMZ from the outside world but they have to be allowed by the router or application proxy. Publishing is a concept invented by Microsoft for ISA server. It it NOT something used by any other firewall. So most people do not PUBLISH servers in a DMZ.

(in reply to tsorin)

Post #: 22

RE: ISA server with 3 NIC problem ! - 19.Jun.2002 10:04:00 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi dpeters,

The term DMZ is very well defined. I qoute here from the Microsoft webcast presentation about ISA and perimeter networks:
- DMZs are also known as perimeter networks or screened networks
- A network region separate from the private internal network, but access is still restricted from the external world
- Created to give un-trusted users access to required data while minimizing the risk to the internal network
- Servers in the DMZ are considered �expendable� � they could be lost and should only host data that is easily replaced

Also, there is no mistery about publishing. Web publishing is in fact reverse proxying. Server publishing is a more restrictive form of what is sometimes called portforwarding by other firewall vendors.

I think you should read a good book about ISA. I highly recommend http://www.amazon.com/exec/obidos/ASIN/1928994296/isaserver/ [Big Grin]