Re: SBS2000 and a DMZ
- From: "Dave Stoecker" <david_stoecker@xxxxxxxxxxxxxxxxx>
- Date: Thu, 21 Apr 2005 10:55:41 -0500
Just to add a thought - AFAIK SUS does not require domain membership, just
appropriate registry entries on the clients, the ability for the DMZ
machines to contact it, and permissions to read the necessary web
directories. Perhaps you could publish SUS to the DMZ segment. Don't know
SAV, but if it uses http for communications, I would think you could
possibly do that as well. I would definitely want to be sure the desktops
don't have write access to anything on the internal segment.
I'd poke around on isaserver.org etc. and see what you can find. Definitely
an interesting project, and a good learning opportunity - now I want to try
something like this : )
DS
"Rick Dilley" <rdilley@xxxxxxxxxxxxxxxx> wrote in message
news:OPJVn$eRFHA.1500@xxxxxxxxxxxxxxxxxxxxxxx
> Thank you Javier,
>
> This network is my HOME network that I use as a test bed to learn things
> before going to a client and attempting to learn "on the clock"
>
> the (4) systems in the DMZ are my sons desk tops and laptops.
>
> They go EVERYWHERE on the internet and download all types of malware and
> other crap.
>
> They originally were members of the domain and subject to my ISA policies,
> but could not get CDDB(an internet service that is used to identify music
> when ripping from CD to MP3). Also they could not do all the Instant
> messenging that they wanted. But Most of all, I felt that my server and
> desktops were in jeopardy from their internet indescretions. They are not
> babies(28 and 19 years old) and would stop if I asked but, I thought I did
> not want to risk an attack or virus infection or ad/mal ware due to them
> and
> yet I still wanted them to have free access to whatever they want to do.
>
> The W2K3 server is a recent addition and wanted it for storage of the boys
> music and my video(I am converting all my celluloid movies to digital).
>
> I have used it as a training exercise in setting up W2K3 and adding roles
> to
> it.
>
> I have mirrored the boot drive(80GB) and added an additional large hard
> disk. for extra storage.
>
> It has a DVD RW and CD RW
>
> So to boil it down, your suggestion is to bring the boys back into the
> fold
> and allow IM,CDDB(i cannot find what protocol and ports need to be opened
> for this) and move the W2K3 into the domain.
>
> I see where that simplifies a lot...SUS/SAV etc. but am worried about
> mal/ad
> ware and viruses.
>
> Thank you again for your input and help in this "training" exercise. The
> knowledge I obtain here has great value and helps me become a better
> SBS'er
>
> RickD
>
> BTW...I do not server anything out to the internet...the streaming media
> role is intended for intranet usage only.
>
> I do RDP into the servers from clients accross the internet..I am having a
> hard time finding the RDPCLIP program...all I can find is the hotfix....
> so
> if you can guide me to it, I'd appreciate the help.
>
> RickD
>
>
>
>
> "Javier Gomez [SBS MVP]" <javier_gomez@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> message news:OuDOJvdRFHA.2792@xxxxxxxxxxxxxxxxxxxxxxx
>> > So the question is(drum roll) can I access the W2K3 server from
>> > "inside"
>> > the
>> > secure network? and if so HOW.
>>
>> "Access" is a very broad term (it could mean RDP access, which you
> certainly
>> should have)... you need to be more specific. However, due to the nature
> of
>> your question I assume you mean access like it was on the local network
>> (file/printers, etc.). If so, I don't believe you can do this without
>> compromising your security. The whole purpose of the DMZ is to prevent
> this
>> from working... if you open ports in ISA like a swiss cheese then it will
>> defeat the whole purpose of having a DMZ.
>>
>> However, keep reading...
>>
>> > I have created this configuration...but will entertain and and all
>> > suggestions...
>>
>> Most of the stuff you want to do would be impossible with your current
>> config (for example using SUS would require GPOs and the laptops are not
>> even inside the domain). I think the key here will be to modify your
>> setup
>> in order to keep it secure and do what you need to do.
>>
>> Why do you want all those boxes in the DMZ? If the laptops are
>> trustworthy
>> put them inside the domain just like PCs. This would require putting the
> WAP
>> inside the domain, so you need to secure it. I would get a WAP access
> point
>> that supports EAS-TLS and deploy RADIUS (i.e. not use crappy WEP or WPA).
>>
>> The Win2k3 server can probably be safely inserted on the SBS domain and
> only
>> web publish the protocols absolutely necesary to work from the internet.
> If
>> not, then your only option is to keep the Win2k3 in the DMZ and get
> another
>> server to split the chores (media server on the DMZ and file/print server
>> inside).
>>
>> My $0.02
>>
>> --
>> Javier [SBS MVP]
>> www.msmvps.com/javier
>> << SBS ROCKS!!! >>
>>
>>
>
>
.
- Follow-Ups:
- Re: SBS2000 and a DMZ
- From: Rick Dilley
- Re: SBS2000 and a DMZ
- References:
- SBS2000 and a DMZ
- From: Rick Dilley
- Re: SBS2000 and a DMZ
- From: Javier Gomez [SBS MVP]
- Re: SBS2000 and a DMZ
- From: Rick Dilley
- SBS2000 and a DMZ
- Prev by Date: Re: What can we safely remove from server C drive ?
- Next by Date: I need to Add 2003 SBS Cal's to 2000 SBS
- Previous by thread: Re: SBS2000 and a DMZ
- Next by thread: Re: SBS2000 and a DMZ
- Index(es):
Relevant Pages
|
Loading
