Re: DMZ Advice

Tech-Archive recommends: Fix windows errors by optimizing your registry

James McIllece [MS] wrote:
malc <gitso@xxxxxxxxxxxxxxxxx> wrote in
news:OZ3CRNa9FHA.1248@xxxxxxxxxxxxxxxxxxxx: 


Hi all,

I am in the process of redesigning certain parts of my network. As I want to impliment a L2TP VPN on Windows Server 2003 and have a
protected IIS site (on a seperate server to the VPN) available from
the the internet, I am looking at implimenting a DMZ.

As I understand it, I need to have a system a little design like
the following, with the only route through the DMZ into the internal
network being through the VPN server with two network cards:

    Internet
        |
    Firewall
     |     |
     |    VPN + IIS (DMZ)
     |     |
 Internal network

the problem I am facing is how best to configure the VPN server in the
DMZ; I am at the situation where clients connecting are given an IP address on the internal network (thus not really being part of the DMZ
at all).
Are there any tutorials on how this type of configuration should
be achieved? Or am I missing something here?

Thanks,

Malc



Hi Malc --

I'm not sure what you are trying to accomplish -- do you want remote clients to be able to connect to the internal network, the IIS server, or both?

If the answer is both, you might consider moving the IIS server onto the internal network. Then clients can connect to the LAN via the VPN server and access the intranet resource (the IIS server). If you do this, the IIS server is also in a more secure position.

If that isn't what you are trying to accomplish, please explain further and I will be happy to help.



James,

thanks for the reply.
I am looking to have two groups of clients, one that will have access to the internal network and one that will have access to the IIS server in the DMZ.

For this to work, I believe that all of the clients will need to be given an IP address in the DMZ, and the ones that need access to the internal network use the VPN server as a gateway.

So far, all of my attempts have failed - either the clients have an IP address in the DMZ and are able to access the IIS server but nothing else, or they have an IP address on the internal network bypassing the DMZ entirey.

thanks again,

Malc
.

Relevant Pages

  • Re: Unable to join AD domain from DMZ network
    ... > the captured traffic between the server in DMZ to the DC from internal ... >> unless you lock it down to a specific port. ... >>> authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Prividing Intranet Website Access To External Users
    ... If you use VPN IPSec you get access to ALL lan, after you need start to close access, the one that remanis open is the problem, does you remember Murphy?. ... Can by installed in DMZ, double firewall, internaly and others. ... > The web server is IIS on windows2003. ... > intranets to the internet in a secure manner. ...
    (Security-Basics)
  • Re: Gurus: server on perimeter vs. corporate advice
    ... But if you put the Sharepoint in the "DMZ", you would need to open various ... ports to allow communication from the DMZ to the Internal network (I think ... When you "open" such ports for a server that resides in the DMZ, ...
    (microsoft.public.security)
  • Re: Unable to join AD domain from DMZ network
    ... To me that points to something outside the machine (Firewall most likely culprit) ... > the captured traffic between the server in DMZ to the DC from internal ... >>> authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Remote terminal service - Comments
    ... Anyhow, near as I can tell, you're thinking VPN or DMZ, pretty much period. ... > An internal server should never be exposed directly to the internet. ... > harder for someone to get into your internal network. ...
    (microsoft.public.windows.terminal_services)