Re: Domain in ISA2004 dmz

i would opt to do this..

1. put services that are needed to 'listen' for incoming internet requests
http
nntp (if you need it)
smtp
vpn

2. build child domain off your main prod domain (i used dmz.seattle.demo) in
my case and i have mushu.dmz.seattle.demo as a valid host on the dmz subnet
(10.0.0.x)

3. I setup a one way trust... DMZ trusts Seattle.Demo but seattle.demo does
Not trust DMZ...

4. I then poke needed holes in the internal ISA box (i have a pix as my
front end) to backend resources.. (Sql/rdp/smtp//etc/etc/et)

5. i use rules that are VERY specific for those backend firewall rules...
i alllow ONLY SMTP from the smtp relay through the backend TO the exchange
server (nothing else) and the same goes for other needed 'holes'

that is start... the rest is more on the lines of password policies, event
log settings,etc...


r


"barryfz" <barry@xxxxxxxxxxxxx> wrote in message
news:e07RxECfFHA.2424@xxxxxxxxxxxxxxxxxxxxxxx
> One more thing.
>
>
> Would it just be better if we left nothing but the web servers in the dmz
> and put the sql servers and fileservers inside our internal domain to be
> accessed by the web servers through the interal isa??
>
> Barry
>
>
> "barryfz" <barry@xxxxxxxxxxxxx> wrote in message
> news:ub4yJ6BfFHA.1472@xxxxxxxxxxxxxxxxxxxxxxx
>> We have a dmz set up using two isa2004 servers. Everything is running
>> fine. We beginning to add more web servers (in a farm configuration) and
>> other servers in the dmz. This is making management more difficult. We
>> would like to set up a domain in the dmz but we are not sure how to
>> proceed.
>>
>> 1. Should this domain be named the same as our web domain (ie.
>> ourcompany.com). This is the web site for that domain name.
>> 2. Should the external ISA be joined to that domain? If yes, what
>> consequences does that have for the intern ISA talking to it?
>>
>> Thanks for any help.
>>
>> --
>> Barry
>>
>
>


.

Relevant Pages

  • Re: Where to place the DMZ zone?
    ... hypothetically lets say you have no DMZ hosting an email bridgehead ... If a hacker were to compromise one of your email or web servers (they are ... That is, the Internet accessible servers ... that can be compromised are on your internal network, ...
    (microsoft.public.isa)
  • Re: Real IPs
    ... First, I'm assuming you have servers which serve incoming ... connections from the internet. ... How you configure your DMZ is up to you, ... Iptables masquerades your lan traffic for you. ...
    (linux.redhat)
  • RE: New Forest - Old Domain - Plus DMZ - Help Please
    ... Make sure Windows XP client should use the AD DNS ... The Cert should match the name in Internet. ... New Forest - Old Domain - Plus DMZ - Help Please ... vast majority of our inside production equipment is 2003 servers and XP ...
    (microsoft.public.windows.server.migration)
  • Re: Active Directory and child DNS Zone
    ... > Our internal and external DNS domains are both the same - mycompany.com. ... > hosts our external domain and it only contains entries for our web servers ... >>> but the test bed isn't a true picture (no internet access to test VPN, ...
    (microsoft.public.windows.server.dns)
  • Re: netcreen 25 dmz web servers
    ... > Atm i have running the trus t site of my company with internet accesss ... > my web servers in the Dmz zone, both web servers in the dmz have ... Click MIP ...
    (comp.security.firewalls)
Loading