Re: Where to put the server

From: Darwood (darrenw_at_nospamme.woodfordcomputers.co.uk)
Date: 02/09/04

Next message: Melodie Young: "Re: Neeed to run AOL on a cliant PC"
Previous message: Dave Nickason [SBS MVP]: "Re: Another Mail Question"
In reply to: TRD: "Re: Where to put the server"
Next in thread: TRD: "Re: Where to put the server"
Reply: TRD: "Re: Where to put the server"
Messages sorted by: [ date ] [ thread ]

Date: Mon, 9 Feb 2004 15:55:17 -0000

Just reread the thread and if it also needs to be accessible from internet
then leave it on the server in the DMZ. Someone here should be able to help
you configure ISA to meet your needs. Mariette's site at
http://www.smallbizserver.net is a pretty good place to start.

--
Darwood
Remove nospamme from email address to reply.
"TRD" <tdejohnx2@hotmail.com> wrote in message
news:OmGuadx7DHA.2812@TK2MSFTNGP11.phx.gbl...
> Thanks for your help. I did end up placing the 2003 IIS box in the DMZ. I
> will try and get up with the vendor of the custom app to see if I can move
> it.
>
> Thanks again for your help
>
>
> TRD
>
>
> "Darwood" <darrenw@nospamme.woodfordcomputers.co.uk> wrote in message
> news:O14Y6Ww7DHA.2480@TK2MSFTNGP12.phx.gbl...
> > Put the 2003 IIS Server in the DMZ. If you can, shift the custom app to
> the
> > SBS box or another LAN server. If not possible then you should be able
to
> > configure your ISA server to allow only the required traffic between
your
> > LAN the and DMZ. This should give your users the apps they need and
still
> > maintain a reasonable level of security.
> >
> > --
> > Darwood
> >
> > Remove nospamme from email address to reply.
> >
> > "TRD" <tdejohnx2@hotmail.com> wrote in message
> > news:#1LTkwr7DHA.2300@TK2MSFTNGP10.phx.gbl...
> > > Yes this scenario is far from normal. I am not trying to move the
> sbs2000
> > or
> > > the the clients from the LAN. My delima is that I have a Win2003
server
> > that
> > > is running IIS for thier website. The IIS box is also home to a custom
> > made
> > > application that is tied into the data that the website uses.
> > >
> > > Delima:
> > > Do I put  the IIS server on the LAN or do I place the IIS box in the
DMZ
> > and
> > > enable Netbios over tcp/ip (which the custom app uses to communicate
> with
> > > the clients). The application doesn't seem to be the best thought out
> > > design. But I can't change that.
> > >
> > > With the webserver in the DMZ and netbios running over tcp how safe is
> it
> > > for the internal network. I have a SonicWall in front of the DMZ.
> > >
> > > I am just thinking that the web server on the LAN is not a good idea.
> For
> > > obvious reasons. Any ideas?
> > >
> > >
> > > Thanks for the help.
> > >
> > > TRD
> > >
> > >
> > > "Jeff Middleton [SBS-MVP]" <jeff@cfisolutions.com> wrote in message
> > > news:OyH4NdN7DHA.1716@TK2MSFTNGP10.phx.gbl...
> > > > This conversation is quickly leaving the term "normal" out of the
> topic.
> > > >
> > > > If you have an SBS running as the DC of a domain with LAN clients,
> then
> > > you
> > > > can't put the SBS in DMZ without putting the clients in DMZ as well,
> > > > otherwise they can't reach the SBS without tunning into the DMZ, and
> now
> > > we
> > > > have a circular condition that really makes no sense. Windows
Networks
> > > > pretty much still require Netbios, and doing it without Netbios is a
> bit
> > > of
> > > > an exotic concept no suited to most scenarios.
> > > >
> > > > The normal way to approach this situation with a single server would
> be
> > to
> > > > construct a normal LAN with the SBS and it's clients, then
preferably
> > run
> > > a
> > > > secure website on the SBS if you must, and keep the website behind
> > either
> > > a
> > > > forward firewall, or ISA on the SBS. A preferred approach would be
to
> > > > acquire another server, perhaps running Windows Server Web Edition
and
> > put
> > > > that machine in DMZ between a pair of firewalls, one of which
> seperates
> > > the
> > > > SBS LAN from the DMZ.
> > > >
> > > >
> > > > "TRD" <tdejohnx2@hotmail.com> wrote in message
> > > > news:erkzOpM7DHA.3304@tk2msftngp13.phx.gbl...
> > > > > There is a custom application that they have. It has a piece that
is
> > > > > accessible from the internet and another seperate component that
is
> > for
> > > > the
> > > > > LAN users. It is not the best thought out software I have ever
seen.
> > > > >
> > > > > "Darwood" <darrenw@nospamme.woodfordcomputers.co.uk> wrote in
> message
> > > > > news:Odi9gHJ7DHA.1632@TK2MSFTNGP12.phx.gbl...
> > > > > > If the web server is going to be accessible from the internet
then
> > put
> > > > it
> > > > > in
> > > > > > the DMZ. If you leave it on the LAN then if it is compromised
your
> > > whole
> > > > > LAN
> > > > > > is vulnerable. Why do the clients need netbios access to the
> server?
> > > > > >
> > > > > > --
> > > > > > Darwood
> > > > > >
> > > > > > Remove nospamme from email address to reply.
> > > > > >
> > > > > > "TRD" <tdejohnx2@hotmail.com> wrote in message
> > > > > > news:ePatQLB7DHA.1592@TK2MSFTNGP10.phx.gbl...
> > > > > > > I have an sbs2000 network with the standard 2 NIC setup. We
are
> > > going
> > > > to
> > > > > > > host a site on a Windows 2003 server that has a custom
> application
> > > > that
> > > > > > > clients on the local network need to acces. If I add this
> website
> > to
> > > > the
> > > > > > > Windows 2003 box. Should I move the server to the DMZ or leave
> it
> > on
> > > > the
> > > > > > > internal network?
> > > > > > >
> > > > > > > With the webserver on the LAN how big of a security risk will
it
> > be.
> > > > > > >
> > > > > > > If I move the server to the DMZ I still have a SonicWall in
> front
> > of
> > > > it
> > > > > > but
> > > > > > > will have to use netbios over tcp for the clients on the LAN
to
> > get
> > > to
> > > > > it.
> > > > > > > Is this about the same as having it on the LAN??
> > > > > > >
> > > > > > >
> > > > > > > TIA
> > > > > > >
> > > > > > > TRD
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Next message: Melodie Young: "Re: Neeed to run AOL on a cliant PC"
Previous message: Dave Nickason [SBS MVP]: "Re: Another Mail Question"
In reply to: TRD: "Re: Where to put the server"
Next in thread: TRD: "Re: Where to put the server"
Reply: TRD: "Re: Where to put the server"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Web portal security
... win2003 standard server with IIS, SSL enabled and will be placed on ... So I will be fwding port 443 in firewall to my DMZ port. ... Well, assuming you are going to use teh SQL database from SBS, you can ... subnet than my LAN and map one to one from firewall to dmz. ...
(microsoft.public.windows.server.sbs)
Re: 2 NICs Configuration Problem
... Servers on the DMZ are public, ... provides NAT for the LAN machines, allowing them to reach the Internet ... effectively bypassing firewall filtering to that server. ... Ethernet adapter Server Local Area Connection: ...
(microsoft.public.windows.server.networking)
Re: Where to put the server
... Put the 2003 IIS Server in the DMZ. ... SBS box or another LAN server. ...
(microsoft.public.backoffice.smallbiz2000)
RE: fedora-list Digest, Vol 6, Issue 266
... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ...
(Fedora)
Re: Groklaws "Bias" and the SCO DDoS Attack
... >on the same local LAN your office machines are you can congest that ... routers, with port 80 redirected to a web server on the LAN side. ... I've also used Sonicwall DMZ routers. ...
(comp.unix.sco.misc)