Re: SBS2000 and a DMZ

Thanks for the suggestions Dave I will work on this later this week.

BTW

At a technet all day seminar 6 months ago the presenter discussed the MS
direction of creating this DMZ scenario and allowing the network
administrator to REQUIRE a current MS patch level and also the ability to
validate AV client and definition level BEFORE passing the mobile user into
the mission critical network.

The scenario would allow the netadmin to "push" out the required updates to
the mobile user and then allow them access.

I have not heard another word about this. but it seemed so incredibly
obvious, to me IMHO, that this is the answer to securing the mission
critical network while still allowing remote and mobile users full access
after passing the netadmin specified criteria.

The remote/mobile users can trapse all over the internet and collect all
type of "bad" stuff but would be "cleaned up" before they are let back into
the "house". Just like my sons .... they'd go out and get full of mud , but
My wife made them strip down to the scivvies in the "mud room" and then sent
them to the shower before letting them back into the house. Does she know
Bill Gates or what!

I guess that is the schema that I am trying to create....

RickD



"Dave Stoecker" <david_stoecker@xxxxxxxxxxxxxxxxx> wrote in message
news:OcMWTqoRFHA.3928@xxxxxxxxxxxxxxxxxxxxxxx
> Just to add a thought - AFAIK SUS does not require domain membership, just
> appropriate registry entries on the clients, the ability for the DMZ
> machines to contact it, and permissions to read the necessary web
> directories. Perhaps you could publish SUS to the DMZ segment. Don't
know
> SAV, but if it uses http for communications, I would think you could
> possibly do that as well. I would definitely want to be sure the desktops
> don't have write access to anything on the internal segment.
>
> I'd poke around on isaserver.org etc. and see what you can find.
Definitely
> an interesting project, and a good learning opportunity - now I want to
try
> something like this : )
>
> DS
>
>
> "Rick Dilley" <rdilley@xxxxxxxxxxxxxxxx> wrote in message
> news:OPJVn$eRFHA.1500@xxxxxxxxxxxxxxxxxxxxxxx
> > Thank you Javier,
> >
> > This network is my HOME network that I use as a test bed to learn
things
> > before going to a client and attempting to learn "on the clock"
> >
> > the (4) systems in the DMZ are my sons desk tops and laptops.
> >
> > They go EVERYWHERE on the internet and download all types of malware and
> > other crap.
> >
> > They originally were members of the domain and subject to my ISA
policies,
> > but could not get CDDB(an internet service that is used to identify
music
> > when ripping from CD to MP3). Also they could not do all the Instant
> > messenging that they wanted. But Most of all, I felt that my server and
> > desktops were in jeopardy from their internet indescretions. They are
not
> > babies(28 and 19 years old) and would stop if I asked but, I thought I
did
> > not want to risk an attack or virus infection or ad/mal ware due to them
> > and
> > yet I still wanted them to have free access to whatever they want to do.
> >
> > The W2K3 server is a recent addition and wanted it for storage of the
boys
> > music and my video(I am converting all my celluloid movies to digital).
> >
> > I have used it as a training exercise in setting up W2K3 and adding
roles
> > to
> > it.
> >
> > I have mirrored the boot drive(80GB) and added an additional large hard
> > disk. for extra storage.
> >
> > It has a DVD RW and CD RW
> >
> > So to boil it down, your suggestion is to bring the boys back into the
> > fold
> > and allow IM,CDDB(i cannot find what protocol and ports need to be
opened
> > for this) and move the W2K3 into the domain.
> >
> > I see where that simplifies a lot...SUS/SAV etc. but am worried about
> > mal/ad
> > ware and viruses.
> >
> > Thank you again for your input and help in this "training" exercise. The
> > knowledge I obtain here has great value and helps me become a better
> > SBS'er
> >
> > RickD
> >
> > BTW...I do not server anything out to the internet...the streaming media
> > role is intended for intranet usage only.
> >
> > I do RDP into the servers from clients accross the internet..I am having
a
> > hard time finding the RDPCLIP program...all I can find is the hotfix....
> > so
> > if you can guide me to it, I'd appreciate the help.
> >
> > RickD
> >
> >
> >
> >
> > "Javier Gomez [SBS MVP]" <javier_gomez@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in
> > message news:OuDOJvdRFHA.2792@xxxxxxxxxxxxxxxxxxxxxxx
> >> > So the question is(drum roll) can I access the W2K3 server from
> >> > "inside"
> >> > the
> >> > secure network? and if so HOW.
> >>
> >> "Access" is a very broad term (it could mean RDP access, which you
> > certainly
> >> should have)... you need to be more specific. However, due to the
nature
> > of
> >> your question I assume you mean access like it was on the local network
> >> (file/printers, etc.). If so, I don't believe you can do this without
> >> compromising your security. The whole purpose of the DMZ is to prevent
> > this
> >> from working... if you open ports in ISA like a swiss cheese then it
will
> >> defeat the whole purpose of having a DMZ.
> >>
> >> However, keep reading...
> >>
> >> > I have created this configuration...but will entertain and and all
> >> > suggestions...
> >>
> >> Most of the stuff you want to do would be impossible with your current
> >> config (for example using SUS would require GPOs and the laptops are
not
> >> even inside the domain). I think the key here will be to modify your
> >> setup
> >> in order to keep it secure and do what you need to do.
> >>
> >> Why do you want all those boxes in the DMZ? If the laptops are
> >> trustworthy
> >> put them inside the domain just like PCs. This would require putting
the
> > WAP
> >> inside the domain, so you need to secure it. I would get a WAP access
> > point
> >> that supports EAS-TLS and deploy RADIUS (i.e. not use crappy WEP or
WPA).
> >>
> >> The Win2k3 server can probably be safely inserted on the SBS domain and
> > only
> >> web publish the protocols absolutely necesary to work from the
internet.
> > If
> >> not, then your only option is to keep the Win2k3 in the DMZ and get
> > another
> >> server to split the chores (media server on the DMZ and file/print
server
> >> inside).
> >>
> >> My $0.02
> >>
> >> --
> >> Javier [SBS MVP]
> >> www.msmvps.com/javier
> >> << SBS ROCKS!!! >>
> >>
> >>
> >
> >
>
>


.

Relevant Pages

  • Re: Outgoing POP3 email missing/lost/not received
    ... ISP's mail server instead of the domain name on the ... SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Connect the SBS to a remote IIS for Internet Printing
    ... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA 2006 Basic Configuration
    ... Why would we point Preferred DNS to itself? ... Configuring the Internal Network Interface ... In the Internet Protocol Properties dialog box, ... Select the Use the following DNS server addresses option. ...
    (microsoft.public.isa.configuration)
  • RE: 504 Proxy timeout only with SSL traffic
    ... Internet - NAT ... Nothing for internal or DMZ. ... Is the Internal and DMZ network separated within ISA with two different ... Does your ISA Server have 3x NICs? ...
    (microsoft.public.isa)
  • Re: SBS 2003 (no SP) - file saving over network suddenly very slow
    ... > resources turn to be slow in SBS 2003 environment. ... > the SBS server box? ... > Norton Internet Security, Norton System Works, and Norton Anti-Virus etc. ... > II Please ensure proper binding order of the network adapter cards. ...
    (microsoft.public.windows.server.sbs)