Re: WSS v2 Intranet and Extranet config with DMZ...



We've got a lot of firewalling involved, so port rules are pretty strict. I
feel reasonably safe. We also have a DMZ AD with a one way trust.

Not sure what to tell you about your satellite office.

tk
"s025jak" <s025jak@xxxxxxxxxxxxxx> wrote in message
news:10331553-DAEF-4AB8-AB57-4F30F6CFBFDC@xxxxxxxxxxxxxxxx
Todd,

Thanks for the info. We have a similar situation currently with the DB
server on our internal LAN and the WSS system on our DMZ. We have a
domain
in each with a one-way trust setup so internal users can access the WSS
front-end with their internal credentials. I'm just not too fond of the
scenario because of the number of ports that need opened for the
communications. If there's no better option we'll keep using it in this
manner. I just haven't been able to find much from MS regarding their
recommendations minus ISA other than all internal or all external.

The other headache is one of our other office needs a secure system in
place
for internal and external access, but since they don't have a separate
domain
in their DMZ, they are going to have to either put everything internal or
everything external for the WSS DB and front-end. Any ideas on this?

Thanks for the information. It's what I'm looking for.

- Jason A. Kinder -

"Todd Klindt [MVP]" wrote:

I run a WSS site that is hosted in a DMZ without ISA. One reason you see
ISA brought up so much is because it's one of the only ways to easily,
successfully reverse proxy WSS v2. Plus, well, it's a Microsoft product.
They certainly aren't going to suggest you use someone else's product,
even
if it's the best for the job.

We have a firewall between our WSS installation and the big bad Internet.
We only allow ports 80 and 443 through, and 80 just forwards to 443. Our
SQL and AD servers are on separate legs of the firewall, each only
allowing
the traffic necessary. Finally our internal network is on another leg of
that firewall, which is how our internal folks access it.

Hope that helps.

tk
"s025jak" <s025jak@xxxxxxxxxxxxxx> wrote in message
news:7E5FB37C-9C61-40B0-8D37-89D2F17D178F@xxxxxxxxxxxxxxxx
Sally,

I understand that a detailed answer would be more of a consulting bit,
but
I'm just looking for recommendations as what has been posted on the
Microsoft
website is vague at best. Is there a reason why ISA is pushed so much
for
securing WSS? We use Cisco PIX and CheckPoint NGX firewalls for
everything
and moving platforms is not an option.

Is there some Microsoft documentation that recommends against putting
WSS
in
a DMZ? From an architecture point of view and enhancing security it
seems
to
make the most sense, but we have seen Microsoft reverse their opinions
in
other implementations like this such as Exchange OWA and SMTP servers
in a
DMZ. Thanks again.

- Jason Kinder -


.



Relevant Pages

  • Re: Forest Trust between Production & DMZ
    ... >> more vulnerable, external, then we are speaking of the trust ... If your DMZ gets whacked, ... To avoid the Swiss-cheese affect on the firewall, ... > Network segregation was a good thing at times when Internet Protocol was ...
    (microsoft.public.windows.server.security)
  • RE: Whats wrong with this topology?
    ... it's better to have the DMZ ... complicates all the filtering rules on your firewall... ... Better is to have the DMZ physically apart from your LAN (with the firewall ... region system (hostile internet vs. not very secure internal lan) because ...
    (Security-Basics)
  • Re: setting up dmz server for etrn?
    ... internet or your IP change on a regular basis [or you are a fan, ... DMZ / internal network / setting up your own SMTP servers, ... IPs, and you have control of the NAT firewall between the 2, is to just ...
    (comp.mail.sendmail)
  • Re: DMZ Question
    ... Allow All Applications DMZplus is a special firewall mode that is used for hosting ... to Internet users as though it is directly connected to the Internet, ... DMZ or no. ... In the system I was looking at, the router accomplished this exposure by assigning ...
    (microsoft.public.windowsxp.network_web)
  • Re: avast
    ... > Just did a clean installation of xp pro sp1 and download 'avast anti ... Did you firewall before connecting to the internet? ... Internet and patch with the critical updates? ... Why you should use a computer firewall.. ...
    (microsoft.public.windowsxp.general)