Re: Flat Domain DNS Problem
- From: "specialk" <specialk@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 7 Jul 2005 06:27:03 -0700
That's what I don't want to do - create WAN traffic. If I have the other two
sites access the resources via the internet like anyone at home that takes
the load of my WAN routers.
Clients local to that site do access that resource by the internal IP
Address - but the other sites can not use the internal address because that
would mean that they could access it via the WAN which they can't for
bandwidth reasons - as stated above.
Thanks again for all the input..
"Ace Fekay [MVP]" wrote:
> In news:AC4CD4AC-2754-49A2-8400-068AD2D646B7@xxxxxxxxxxxxx,
> specialk <specialk@xxxxxxxxxxxxxxxxxxxxxxxxx> stated, which I then commented
> on below:
> > You are correct, I meant one domain, in one forest for all three
> > sites when I said a "flat domain".
> >
> > I could just create the one entry for the DMZ's external addresses
> > under my zone, but then the one site where the DMZ hosts are located
> > wouldn't be able to access it because they can't cross the firewall
> > twice - so that's not an option.
> >
> > The DMZ hosts are using another private IP Address (different from all
> > others) and the firewall is translating the external public addresses
> > to the private.
> > The clients local to the DMZ hosts use the private addresses because
> > we can't cross the firewall twice.
> >
> > The other sites can't use the local IP addresses, because I would
> > have to open that up on the routers (no big deal) but there would be
> > too much traffic at this time - thus why I would want the other two
> > sites to use the internet to get to these resources.
> >
> > Since it is Active directory Integrated and we all have one zone those
> > entries already exist for local addresses they can't get to.
> >
> > I don't want them to access the hosts in the DMZ via the WAN because
> > of traffic. I want the other two sites to go over the internet to
> > access those resources.
> >
> > Sorry for lengthy response, I just want to give you as much
> > information as I can...
> >
> > Thanks for all your help, and I wouldn't mind giving you any more
> > information in order to find the best solution.
> >
> > Thanks again - I really do appreciate it.
> >
> > "Ace Fekay [MVP]" wrote:
>
> So you're saying the actual resource is an internal resource that is port
> remapped at your NAT and not *really* on the DMZ? If so, then assuming you
> have complete routable access between your private VPNs connecting all your
> branches, all you need to do is reference the internal private IP.
>
> You are correct, an internal host cannot access a port remapped resource
> using a NAT device, essentially doing a 'U-Turn' for an internal resource
> accessing the external interface of a NAT device and back in again. But they
> can access it directly by it's internal private IP.
>
> This is all assuming your whole infrastructure can access every private
> subnet you have at all branches at any given time. This is a normal setup
> for many companies, as all my clients are setup that way. There is no need
> to open up ports on the firewalls for your internal clients from other
> branches to access it. It will however, generate WAN traffic, which is going
> to happen anyway.
>
> Ace
>
>
>
.
- Follow-Ups:
- Re: Flat Domain DNS Problem
- From: Ace Fekay [MVP]
- Re: Flat Domain DNS Problem
- References:
- Flat Domain DNS Problem
- From: specialk
- Re: Flat Domain DNS Problem
- From: Ace Fekay [MVP]
- Re: Flat Domain DNS Problem
- From: specialk
- Re: Flat Domain DNS Problem
- From: Ace Fekay [MVP]
- Flat Domain DNS Problem
- Prev by Date: Ping -a doesn't work
- Next by Date: Re: Do not have failover for my NS !!!
- Previous by thread: Re: Flat Domain DNS Problem
- Next by thread: Re: Flat Domain DNS Problem
- Index(es):
Relevant Pages
|
|
