Re: WSS v2 Intranet and Extranet config with DMZ...



We've got a lot of firewalling involved, so port rules are pretty strict. I
feel reasonably safe. We also have a DMZ AD with a one way trust.

Not sure what to tell you about your satellite office.

tk
"s025jak" <s025jak@xxxxxxxxxxxxxx> wrote in message
news:10331553-DAEF-4AB8-AB57-4F30F6CFBFDC@xxxxxxxxxxxxxxxx
Todd,

Thanks for the info. We have a similar situation currently with the DB
server on our internal LAN and the WSS system on our DMZ. We have a
domain
in each with a one-way trust setup so internal users can access the WSS
front-end with their internal credentials. I'm just not too fond of the
scenario because of the number of ports that need opened for the
communications. If there's no better option we'll keep using it in this
manner. I just haven't been able to find much from MS regarding their
recommendations minus ISA other than all internal or all external.

The other headache is one of our other office needs a secure system in
place
for internal and external access, but since they don't have a separate
domain
in their DMZ, they are going to have to either put everything internal or
everything external for the WSS DB and front-end. Any ideas on this?

Thanks for the information. It's what I'm looking for.

- Jason A. Kinder -

"Todd Klindt [MVP]" wrote:

I run a WSS site that is hosted in a DMZ without ISA. One reason you see
ISA brought up so much is because it's one of the only ways to easily,
successfully reverse proxy WSS v2. Plus, well, it's a Microsoft product.
They certainly aren't going to suggest you use someone else's product,
even
if it's the best for the job.

We have a firewall between our WSS installation and the big bad Internet.
We only allow ports 80 and 443 through, and 80 just forwards to 443. Our
SQL and AD servers are on separate legs of the firewall, each only
allowing
the traffic necessary. Finally our internal network is on another leg of
that firewall, which is how our internal folks access it.

Hope that helps.

tk
"s025jak" <s025jak@xxxxxxxxxxxxxx> wrote in message
news:7E5FB37C-9C61-40B0-8D37-89D2F17D178F@xxxxxxxxxxxxxxxx
Sally,

I understand that a detailed answer would be more of a consulting bit,
but
I'm just looking for recommendations as what has been posted on the
Microsoft
website is vague at best. Is there a reason why ISA is pushed so much
for
securing WSS? We use Cisco PIX and CheckPoint NGX firewalls for
everything
and moving platforms is not an option.

Is there some Microsoft documentation that recommends against putting
WSS
in
a DMZ? From an architecture point of view and enhancing security it
seems
to
make the most sense, but we have seen Microsoft reverse their opinions
in
other implementations like this such as Exchange OWA and SMTP servers
in a
DMZ. Thanks again.

- Jason Kinder -


.