Re: DMZ Advice

malc <gitso@xxxxxxxxxxxxxxxxx> wrote in
news:OZ3CRNa9FHA.1248@xxxxxxxxxxxxxxxxxxxx:

> Hi all,
>
> I am in the process of redesigning certain parts of my network. As I
> want to impliment a L2TP VPN on Windows Server 2003 and have a
> protected IIS site (on a seperate server to the VPN) available from
> the the internet, I am looking at implimenting a DMZ.
>
> As I understand it, I need to have a system a little design like
> the
> following, with the only route through the DMZ into the internal
> network being through the VPN server with two network cards:
>
> Internet
> |
> Firewall
> | |
> | VPN + IIS (DMZ)
> | |
> Internal network
>
> the problem I am facing is how best to configure the VPN server in the
> DMZ; I am at the situation where clients connecting are given an IP
> address on the internal network (thus not really being part of the DMZ
> at all).
> Are there any tutorials on how this type of configuration should
> be
> achieved? Or am I missing something here?
>
> Thanks,
>
> Malc
>

Hi Malc --

I'm not sure what you are trying to accomplish -- do you want remote
clients to be able to connect to the internal network, the IIS server, or
both?

If the answer is both, you might consider moving the IIS server onto the
internal network. Then clients can connect to the LAN via the VPN server
and access the intranet resource (the IIS server). If you do this, the IIS
server is also in a more secure position.

If that isn't what you are trying to accomplish, please explain further and
I will be happy to help.


--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Relevant Pages

  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • Re: VPN with SBS 2003 (not R2) and DSL.
    ... Reading property value for VPN returned OK ... Reading VPN Server Name returned OK ... identical network cards. ... it seems doubtful that SBS will work properly with two NICs ...
    (microsoft.public.windows.server.sbs)
  • RE: VPN Connection Problems
    ... Note that we are able to successfully VPN into the office. ... to browse the network, RDP to the server or even ping the server. ... > This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN clients unable to connect to other resources.
    ... on the SBS 2003 server just not sure where to go for help on it. ... Next time I'm at my home PC, I'll VPN in and see what IP info I'm getting ... client PC on your LAN, you should be able to do so from a remote VPN client, ... get the network path was not found. ...
    (microsoft.public.windows.server.sbs)
  • Re: RRAS as VPN Server Configuration Questions...
    ... Ethernet adapter VPN: ... Name resulotion on VPN Connection issues on DC, ISA, DNS and WINS server as ... Issue in a VPN client ... ... How to Setup Windows, Network, VPN & Remote Access on ...
    (microsoft.public.win2000.ras_routing)