Re: Where to put the server
From: TRD (tdejohnx2_at_hotmail.com)
Date: 02/09/04
- Next message: Sean: "Mail going out but not coming in?"
- Previous message: John Leonard - Sage: "Access two separate and different domains/active directories with same work station"
- In reply to: Darwood: "Re: Where to put the server"
- Next in thread: Darwood: "Re: Where to put the server"
- Reply: Darwood: "Re: Where to put the server"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 9 Feb 2004 09:16:47 -0500
Thanks for your help. I did end up placing the 2003 IIS box in the DMZ. I
will try and get up with the vendor of the custom app to see if I can move
it.
Thanks again for your help
TRD
"Darwood" <darrenw@nospamme.woodfordcomputers.co.uk> wrote in message
news:O14Y6Ww7DHA.2480@TK2MSFTNGP12.phx.gbl...
> Put the 2003 IIS Server in the DMZ. If you can, shift the custom app to
the
> SBS box or another LAN server. If not possible then you should be able to
> configure your ISA server to allow only the required traffic between your
> LAN the and DMZ. This should give your users the apps they need and still
> maintain a reasonable level of security.
>
> --
> Darwood
>
> Remove nospamme from email address to reply.
>
> "TRD" <tdejohnx2@hotmail.com> wrote in message
> news:#1LTkwr7DHA.2300@TK2MSFTNGP10.phx.gbl...
> > Yes this scenario is far from normal. I am not trying to move the
sbs2000
> or
> > the the clients from the LAN. My delima is that I have a Win2003 server
> that
> > is running IIS for thier website. The IIS box is also home to a custom
> made
> > application that is tied into the data that the website uses.
> >
> > Delima:
> > Do I put the IIS server on the LAN or do I place the IIS box in the DMZ
> and
> > enable Netbios over tcp/ip (which the custom app uses to communicate
with
> > the clients). The application doesn't seem to be the best thought out
> > design. But I can't change that.
> >
> > With the webserver in the DMZ and netbios running over tcp how safe is
it
> > for the internal network. I have a SonicWall in front of the DMZ.
> >
> > I am just thinking that the web server on the LAN is not a good idea.
For
> > obvious reasons. Any ideas?
> >
> >
> > Thanks for the help.
> >
> > TRD
> >
> >
> > "Jeff Middleton [SBS-MVP]" <jeff@cfisolutions.com> wrote in message
> > news:OyH4NdN7DHA.1716@TK2MSFTNGP10.phx.gbl...
> > > This conversation is quickly leaving the term "normal" out of the
topic.
> > >
> > > If you have an SBS running as the DC of a domain with LAN clients,
then
> > you
> > > can't put the SBS in DMZ without putting the clients in DMZ as well,
> > > otherwise they can't reach the SBS without tunning into the DMZ, and
now
> > we
> > > have a circular condition that really makes no sense. Windows Networks
> > > pretty much still require Netbios, and doing it without Netbios is a
bit
> > of
> > > an exotic concept no suited to most scenarios.
> > >
> > > The normal way to approach this situation with a single server would
be
> to
> > > construct a normal LAN with the SBS and it's clients, then preferably
> run
> > a
> > > secure website on the SBS if you must, and keep the website behind
> either
> > a
> > > forward firewall, or ISA on the SBS. A preferred approach would be to
> > > acquire another server, perhaps running Windows Server Web Edition and
> put
> > > that machine in DMZ between a pair of firewalls, one of which
seperates
> > the
> > > SBS LAN from the DMZ.
> > >
> > >
> > > "TRD" <tdejohnx2@hotmail.com> wrote in message
> > > news:erkzOpM7DHA.3304@tk2msftngp13.phx.gbl...
> > > > There is a custom application that they have. It has a piece that is
> > > > accessible from the internet and another seperate component that is
> for
> > > the
> > > > LAN users. It is not the best thought out software I have ever seen.
> > > >
> > > > "Darwood" <darrenw@nospamme.woodfordcomputers.co.uk> wrote in
message
> > > > news:Odi9gHJ7DHA.1632@TK2MSFTNGP12.phx.gbl...
> > > > > If the web server is going to be accessible from the internet then
> put
> > > it
> > > > in
> > > > > the DMZ. If you leave it on the LAN then if it is compromised your
> > whole
> > > > LAN
> > > > > is vulnerable. Why do the clients need netbios access to the
server?
> > > > >
> > > > > --
> > > > > Darwood
> > > > >
> > > > > Remove nospamme from email address to reply.
> > > > >
> > > > > "TRD" <tdejohnx2@hotmail.com> wrote in message
> > > > > news:ePatQLB7DHA.1592@TK2MSFTNGP10.phx.gbl...
> > > > > > I have an sbs2000 network with the standard 2 NIC setup. We are
> > going
> > > to
> > > > > > host a site on a Windows 2003 server that has a custom
application
> > > that
> > > > > > clients on the local network need to acces. If I add this
website
> to
> > > the
> > > > > > Windows 2003 box. Should I move the server to the DMZ or leave
it
> on
> > > the
> > > > > > internal network?
> > > > > >
> > > > > > With the webserver on the LAN how big of a security risk will it
> be.
> > > > > >
> > > > > > If I move the server to the DMZ I still have a SonicWall in
front
> of
> > > it
> > > > > but
> > > > > > will have to use netbios over tcp for the clients on the LAN to
> get
> > to
> > > > it.
> > > > > > Is this about the same as having it on the LAN??
> > > > > >
> > > > > >
> > > > > > TIA
> > > > > >
> > > > > > TRD
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Sean: "Mail going out but not coming in?"
- Previous message: John Leonard - Sage: "Access two separate and different domains/active directories with same work station"
- In reply to: Darwood: "Re: Where to put the server"
- Next in thread: Darwood: "Re: Where to put the server"
- Reply: Darwood: "Re: Where to put the server"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
