Re: SBS2000 and a DMZ

From: "Rick Dilley" <rdilley@xxxxxxxxxxxxxxxx>
Date: Wed, 20 Apr 2005 17:30:08 -0400

Thank you Javier,

This network is my HOME network that I use as a test bed to learn things
before going to a client and attempting to learn "on the clock"

the (4) systems in the DMZ are my sons desk tops and laptops.

They go EVERYWHERE on the internet and download all types of malware and
other crap.

They originally were members of the domain and subject to my ISA policies,
but could not get CDDB(an internet service that is used to identify music
when ripping from CD to MP3). Also they could not do all the Instant
messenging that they wanted. But Most of all, I felt that my server and
desktops were in jeopardy from their internet indescretions. They are not
babies(28 and 19 years old) and would stop if I asked but, I thought I did
not want to risk an attack or virus infection or ad/mal ware due to them and
yet I still wanted them to have free access to whatever they want to do.

The W2K3 server is a recent addition and wanted it for storage of the boys
music and my video(I am converting all my celluloid movies to digital).

I have used it as a training exercise in setting up W2K3 and adding roles to
it.

I have mirrored the boot drive(80GB) and added an additional large hard
disk. for extra storage.

It has a DVD RW and CD RW

So to boil it down, your suggestion is to bring the boys back into the fold
and allow IM,CDDB(i cannot find what protocol and ports need to be opened
for this) and move the W2K3 into the domain.

I see where that simplifies a lot...SUS/SAV etc. but am worried about mal/ad
ware and viruses.

Thank you again for your input and help in this "training" exercise. The
knowledge I obtain here has great value and helps me become a better SBS'er

RickD

BTW...I do not server anything out to the internet...the streaming media
role is intended for intranet usage only.

I do RDP into the servers from clients accross the internet..I am having a
hard time finding the RDPCLIP program...all I can find is the hotfix.... so
if you can guide me to it, I'd appreciate the help.

RickD

"Javier Gomez [SBS MVP]" <javier_gomez@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:OuDOJvdRFHA.2792@xxxxxxxxxxxxxxxxxxxxxxx
> > So the question is(drum roll) can I access the W2K3 server from "inside"
> > the
> > secure network? and if so HOW.
>
> "Access" is a very broad term (it could mean RDP access, which you
certainly
> should have)... you need to be more specific. However, due to the nature
of
> your question I assume you mean access like it was on the local network
> (file/printers, etc.). If so, I don't believe you can do this without
> compromising your security. The whole purpose of the DMZ is to prevent
this
> from working... if you open ports in ISA like a swiss cheese then it will
> defeat the whole purpose of having a DMZ.
>
> However, keep reading...
>
> > I have created this configuration...but will entertain and and all
> > suggestions...
>
> Most of the stuff you want to do would be impossible with your current
> config (for example using SUS would require GPOs and the laptops are not
> even inside the domain). I think the key here will be to modify your setup
> in order to keep it secure and do what you need to do.
>
> Why do you want all those boxes in the DMZ? If the laptops are trustworthy
> put them inside the domain just like PCs. This would require putting the
WAP
> inside the domain, so you need to secure it. I would get a WAP access
point
> that supports EAS-TLS and deploy RADIUS (i.e. not use crappy WEP or WPA).
>
> The Win2k3 server can probably be safely inserted on the SBS domain and
only
> web publish the protocols absolutely necesary to work from the internet.
If
> not, then your only option is to keep the Win2k3 in the DMZ and get
another
> server to split the chores (media server on the DMZ and file/print server
> inside).
>
> My $0.02
>
> --
> Javier [SBS MVP]
> www.msmvps.com/javier
> << SBS ROCKS!!! >>
>
>

.

Follow-Ups:
- Re: SBS2000 and a DMZ
  - From: Javier Gomez [SBS MVP]
- Re: SBS2000 and a DMZ
  - From: Dave Stoecker

References:
- SBS2000 and a DMZ
  - From: Rick Dilley
- Re: SBS2000 and a DMZ
  - From: Javier Gomez [SBS MVP]

Prev by Date: POP3 Connector snap-in fails to initialize
Next by Date: Re: cached mode problem
Previous by thread: Re: SBS2000 and a DMZ
Next by thread: Re: SBS2000 and a DMZ
Index(es):
- Date
- Thread

Relevant Pages

Re: Outgoing POP3 email missing/lost/not received
... ISP's mail server instead of the domain name on the ... SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
(microsoft.public.windows.server.sbs)
Re: Connect the SBS to a remote IIS for Internet Printing
... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ...
(microsoft.public.windows.server.sbs)
Re: ISA 2006 Basic Configuration
... Why would we point Preferred DNS to itself? ... Configuring the Internal Network Interface ... In the Internet Protocol Properties dialog box, ... Select the Use the following DNS server addresses option. ...
(microsoft.public.isa.configuration)
RE: 504 Proxy timeout only with SSL traffic
... Internet - NAT ... Nothing for internal or DMZ. ... Is the Internal and DMZ network separated within ISA with two different ... Does your ISA Server have 3x NICs? ...
(microsoft.public.isa)
RE: Server Re-Setup Help
... This newsgroup only focuses on SBS technical issues. ... If you setup network like above, ... server is transferred in internet since they have different public IP. ...
(microsoft.public.windows.server.sbs)