Re: SBS2000 and a DMZ

---

• From: "Javier Gomez [SBS MVP]" <javier_gomez@xxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 20 Apr 2005 15:04:29 -0400

---

> So the question is(drum roll) can I access the W2K3 server from "inside"
> the
> secure network? and if so HOW.

"Access" is a very broad term (it could mean RDP access, which you certainly
should have)... you need to be more specific. However, due to the nature of
your question I assume you mean access like it was on the local network
(file/printers, etc.). If so, I don't believe you can do this without
compromising your security. The whole purpose of the DMZ is to prevent this
from working... if you open ports in ISA like a swiss cheese then it will
defeat the whole purpose of having a DMZ.

However, keep reading...

> I have created this configuration...but will entertain and and all
> suggestions...

Most of the stuff you want to do would be impossible with your current
config (for example using SUS would require GPOs and the laptops are not
even inside the domain). I think the key here will be to modify your setup
in order to keep it secure and do what you need to do.

Why do you want all those boxes in the DMZ? If the laptops are trustworthy
put them inside the domain just like PCs. This would require putting the WAP
inside the domain, so you need to secure it. I would get a WAP access point
that supports EAS-TLS and deploy RADIUS (i.e. not use crappy WEP or WPA).

The Win2k3 server can probably be safely inserted on the SBS domain and only
web publish the protocols absolutely necesary to work from the internet. If
not, then your only option is to keep the Win2k3 in the DMZ and get another
server to split the chores (media server on the DMZ and file/print server
inside).

My $0.02

--
Javier [SBS MVP]
www.msmvps.com/javier
<< SBS ROCKS!!! >>


.

---

• Follow-Ups:
  • Re: SBS2000 and a DMZ
    • From: Rick Dilley

• References:
  • SBS2000 and a DMZ
    • From: Rick Dilley

• Prev by Date: Re: Urgent!!! SPAM
• Next by Date: cached mode problem
• Previous by thread: SBS2000 and a DMZ
• Next by thread: Re: SBS2000 and a DMZ
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Webserver on a DMZ still needed? ... OWA server. ... Webserver on a DMZ still needed? ... It is still recommended to have your exchange box (and any other outward ... to interact securely with the Domain Controller on the secure subnet? ... (Security-Basics) Re: Critical services to unblock? ... "I am secure because I have a Firewall" ... "I am secure because I use a DMZ" ... Probably the best answer to that would be that if the Server is compromised ... It sounds like it is an SQL Server in your case,...therefore with the server ... (microsoft.public.isa.configuration) Mail Server in the DMZ question ... At present I have an SMTP server in my DMZ that is simply re-routing ... mail into my secure network. ... proceeding request for that data. ... (FreeBSD-Security) Re: Securing SQL ... How does having a 2nd dmz make it more secure ... >>access a SQL server. ... >>file replication or in the dmz and open up the firewall for sql traffic. ... > connections be established from your LAN to the DMZ. ... (microsoft.public.windows.server.security) Re: OWA 2003 in DMZ ?? ... trying to secure it now is there? ... The comm between a FE and BE server is tcp 80. ... I mean, you're network directory is in the DMZ, your ... > planning to put my OWA on a DMZ ... (microsoft.public.exchange.admin)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > BackOffice  > microsoft.public.backoffice.smallbiz2000  > 2005-04