Re: Where to put the server

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: TRD (tdejohnx2_at_hotmail.com)
Date: 02/09/04 

Date: Mon, 9 Feb 2004 11:39:03 -0500

Thanks again for the good info.

TRD

"Darwood" <darrenw@nospamme.woodfordcomputers.co.uk> wrote in message
news:urN3yTy7DHA.2472@TK2MSFTNGP10.phx.gbl...
> Just reread the thread and if it also needs to be accessible from internet
> then leave it on the server in the DMZ. Someone here should be able to
help
> you configure ISA to meet your needs. Mariette's site at
> http://www.smallbizserver.net is a pretty good place to start.
>
> --
> Darwood
>
> Remove nospamme from email address to reply.
>
> "TRD" <tdejohnx2@hotmail.com> wrote in message
> news:OmGuadx7DHA.2812@TK2MSFTNGP11.phx.gbl...
> > Thanks for your help. I did end up placing the 2003 IIS box in the DMZ.
I
> > will try and get up with the vendor of the custom app to see if I can
move
> > it.
> >
> > Thanks again for your help
> >
> >
> > TRD
> >
> >
> > "Darwood" <darrenw@nospamme.woodfordcomputers.co.uk> wrote in message
> > news:O14Y6Ww7DHA.2480@TK2MSFTNGP12.phx.gbl...
> > > Put the 2003 IIS Server in the DMZ. If you can, shift the custom app
to
> > the
> > > SBS box or another LAN server. If not possible then you should be able
> to
> > > configure your ISA server to allow only the required traffic between
> your
> > > LAN the and DMZ. This should give your users the apps they need and
> still
> > > maintain a reasonable level of security.
> > >
> > > --
> > > Darwood
> > >
> > > Remove nospamme from email address to reply.
> > >
> > > "TRD" <tdejohnx2@hotmail.com> wrote in message
> > > news:#1LTkwr7DHA.2300@TK2MSFTNGP10.phx.gbl...
> > > > Yes this scenario is far from normal. I am not trying to move the
> > sbs2000
> > > or
> > > > the the clients from the LAN. My delima is that I have a Win2003
> server
> > > that
> > > > is running IIS for thier website. The IIS box is also home to a
custom
> > > made
> > > > application that is tied into the data that the website uses.
> > > >
> > > > Delima:
> > > > Do I put the IIS server on the LAN or do I place the IIS box in the
> DMZ
> > > and
> > > > enable Netbios over tcp/ip (which the custom app uses to communicate
> > with
> > > > the clients). The application doesn't seem to be the best thought
out
> > > > design. But I can't change that.
> > > >
> > > > With the webserver in the DMZ and netbios running over tcp how safe
is
> > it
> > > > for the internal network. I have a SonicWall in front of the DMZ.
> > > >
> > > > I am just thinking that the web server on the LAN is not a good
idea.
> > For
> > > > obvious reasons. Any ideas?
> > > >
> > > >
> > > > Thanks for the help.
> > > >
> > > > TRD
> > > >
> > > >
> > > > "Jeff Middleton [SBS-MVP]" <jeff@cfisolutions.com> wrote in message
> > > > news:OyH4NdN7DHA.1716@TK2MSFTNGP10.phx.gbl...
> > > > > This conversation is quickly leaving the term "normal" out of the
> > topic.
> > > > >
> > > > > If you have an SBS running as the DC of a domain with LAN clients,
> > then
> > > > you
> > > > > can't put the SBS in DMZ without putting the clients in DMZ as
well,
> > > > > otherwise they can't reach the SBS without tunning into the DMZ,
and
> > now
> > > > we
> > > > > have a circular condition that really makes no sense. Windows
> Networks
> > > > > pretty much still require Netbios, and doing it without Netbios is
a
> > bit
> > > > of
> > > > > an exotic concept no suited to most scenarios.
> > > > >
> > > > > The normal way to approach this situation with a single server
would
> > be
> > > to
> > > > > construct a normal LAN with the SBS and it's clients, then
> preferably
> > > run
> > > > a
> > > > > secure website on the SBS if you must, and keep the website behind
> > > either
> > > > a
> > > > > forward firewall, or ISA on the SBS. A preferred approach would be
> to
> > > > > acquire another server, perhaps running Windows Server Web Edition
> and
> > > put
> > > > > that machine in DMZ between a pair of firewalls, one of which
> > seperates
> > > > the
> > > > > SBS LAN from the DMZ.
> > > > >
> > > > >
> > > > > "TRD" <tdejohnx2@hotmail.com> wrote in message
> > > > > news:erkzOpM7DHA.3304@tk2msftngp13.phx.gbl...
> > > > > > There is a custom application that they have. It has a piece
that
> is
> > > > > > accessible from the internet and another seperate component that
> is
> > > for
> > > > > the
> > > > > > LAN users. It is not the best thought out software I have ever
> seen.
> > > > > >
> > > > > > "Darwood" <darrenw@nospamme.woodfordcomputers.co.uk> wrote in
> > message
> > > > > > news:Odi9gHJ7DHA.1632@TK2MSFTNGP12.phx.gbl...
> > > > > > > If the web server is going to be accessible from the internet
> then
> > > put
> > > > > it
> > > > > > in
> > > > > > > the DMZ. If you leave it on the LAN then if it is compromised
> your
> > > > whole
> > > > > > LAN
> > > > > > > is vulnerable. Why do the clients need netbios access to the
> > server?
> > > > > > >
> > > > > > > --
> > > > > > > Darwood
> > > > > > >
> > > > > > > Remove nospamme from email address to reply.
> > > > > > >
> > > > > > > "TRD" <tdejohnx2@hotmail.com> wrote in message
> > > > > > > news:ePatQLB7DHA.1592@TK2MSFTNGP10.phx.gbl...
> > > > > > > > I have an sbs2000 network with the standard 2 NIC setup. We
> are
> > > > going
> > > > > to
> > > > > > > > host a site on a Windows 2003 server that has a custom
> > application
> > > > > that
> > > > > > > > clients on the local network need to acces. If I add this
> > website
> > > to
> > > > > the
> > > > > > > > Windows 2003 box. Should I move the server to the DMZ or
leave
> > it
> > > on
> > > > > the
> > > > > > > > internal network?
> > > > > > > >
> > > > > > > > With the webserver on the LAN how big of a security risk
will
> it
> > > be.
> > > > > > > >
> > > > > > > > If I move the server to the DMZ I still have a SonicWall in
> > front
> > > of
> > > > > it
> > > > > > > but
> > > > > > > > will have to use netbios over tcp for the clients on the LAN
> to
> > > get
> > > > to
> > > > > > it.
> > > > > > > > Is this about the same as having it on the LAN??
> > > > > > > >
> > > > > > > >
> > > > > > > > TIA
> > > > > > > >
> > > > > > > > TRD
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • RE: fedora-list Digest, Vol 6, Issue 266
    ... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ...
    (Fedora)
  • RE: Webserver on a DMZ still needed?
    ... Certainly your suggestion to have a email server in a DMZ but still have ... having the exchange server on the internal LAN with only the smtp ports ... Talking of the financial cost of setup by the book vs the security cost ...
    (Security-Basics)
  • Re: Man gets nine years for spamming
    ... > I don't think we've ever had web access. ... > connect to an inner server where you logged in and actually did stuff. ... We have 12 DMZ interfaces. ... the DMZs and in between the Internet routers and the first ...
    (alt.computer.security)
  • RE: [fw-wiz] Backup exec agent in dmz
    ... named.conf file and the zonefiles off the the NT box in the DMZ. ... on the Apache server, ... backup tape library in this DMZ and backup all your servers to the new DMZ. ... what do you really need to back up on the DNS and web servers? ...
    (Firewall-Wizards)
  • RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good
    ... The ISA acting as a proxy in the DMZ is a good option I think ... because ISA is designed to work with OWA or is it the other way round. ... in the DMZ or an ISA Server. ...
    (Firewall-Wizards)