Re: Flat Domain DNS Problem

In news:AC4CD4AC-2754-49A2-8400-068AD2D646B7@xxxxxxxxxxxxx,
specialk <specialk@xxxxxxxxxxxxxxxxxxxxxxxxx> stated, which I then commented
on below:
> You are correct, I meant one domain, in one forest for all three
> sites when I said a "flat domain".
>
> I could just create the one entry for the DMZ's external addresses
> under my zone, but then the one site where the DMZ hosts are located
> wouldn't be able to access it because they can't cross the firewall
> twice - so that's not an option.
>
> The DMZ hosts are using another private IP Address (different from all
> others) and the firewall is translating the external public addresses
> to the private.
> The clients local to the DMZ hosts use the private addresses because
> we can't cross the firewall twice.
>
> The other sites can't use the local IP addresses, because I would
> have to open that up on the routers (no big deal) but there would be
> too much traffic at this time - thus why I would want the other two
> sites to use the internet to get to these resources.
>
> Since it is Active directory Integrated and we all have one zone those
> entries already exist for local addresses they can't get to.
>
> I don't want them to access the hosts in the DMZ via the WAN because
> of traffic. I want the other two sites to go over the internet to
> access those resources.
>
> Sorry for lengthy response, I just want to give you as much
> information as I can...
>
> Thanks for all your help, and I wouldn't mind giving you any more
> information in order to find the best solution.
>
> Thanks again - I really do appreciate it.
>
> "Ace Fekay [MVP]" wrote:

So you're saying the actual resource is an internal resource that is port
remapped at your NAT and not *really* on the DMZ? If so, then assuming you
have complete routable access between your private VPNs connecting all your
branches, all you need to do is reference the internal private IP.

You are correct, an internal host cannot access a port remapped resource
using a NAT device, essentially doing a 'U-Turn' for an internal resource
accessing the external interface of a NAT device and back in again. But they
can access it directly by it's internal private IP.

This is all assuming your whole infrastructure can access every private
subnet you have at all branches at any given time. This is a normal setup
for many companies, as all my clients are setup that way. There is no need
to open up ports on the firewalls for your internal clients from other
branches to access it. It will however, generate WAN traffic, which is going
to happen anyway.

Ace


.

Relevant Pages

  • Re: Flat Domain DNS Problem
    ... That's what I don't want to do - create WAN traffic. ... Clients local to that site do access that resource by the internal IP ... >> The DMZ hosts are using another private IP Address (different from all ... >> sites to use the internet to get to these resources. ...
    (microsoft.public.windows.server.dns)
  • Re: Removing ping/icmp from a network
    ... How about via the Internet? ... Because private addresses have no global meaning, ... information about private networks shall not be propagated on ... Router ...
    (Security-Basics)
  • Re: How to connect 2 windows 2003 remote domains?
    ... The remote site will operate on private addresses as your existing site does. ... Instead of having a dedicated connection between the sites, you use the Internet. ... At each site you have a DSL router whih is capable of hosting a VPN site to site connection. ...
    (microsoft.public.windows.server.networking)
  • Re: Finding out 411 about the IP address
    ... could pinpoint specifically what city I am living in. ... be anywhere behind a firewall (e.g. a private address and not on the ... Internet) or somewhere accessible on the Internet. ... an ISP like Comcast owns a lot of IP ...
    (microsoft.public.security)
  • Re: The Phoenix has landed!
    ... When the government had the internet (invented by Bolt Baranak and Newman, ... a private corporation) it was good for sending e-mail and maintaining BBs. ... It was Tim Berners Lee who invented the Web that made the ... Sort of like Albert Einstein inventing ...
    (talk.origins)