2 nics DMZ

Hello out there guru's.... I have a question about windows 2003 server with
2 network cards. #1 network card is attached to my local network 172.X.
Netowork card #2 is hooked onto my DMZ 192.X with netowork load balancing.
My goal is to have a website for external users and internal users. Since I
use an external DNS I have to make my own DNS entries for websites and I use
the internal Network #1 card. I use Network Card #2 for dmz -> PIX to
Internet.

Problem?

Since I can only have 1 gateway I used the network card #2 to
add my default gateway. I then wanted to use the RAS lan routing to add
static routes for the internal network #1. When going to configure the app
RAS told me I needed to stop ICS firewall service and disable it. I ended up
just adding the static routes via the command line ( route add command
with -p ) Now when I turn on the firewall I am unable to ping the #2 adapter
from a machine on #1 network? ICMP is on and I can ping the internal adapter
#1. Does the firewall take out my static routes or disable my #2 adapter.
What am I doing wrong?

Goal...

To have web serverices via #2 network card with network load
balancing. Windows 2003 firewall services to filter traffic from internet to
prevent #2 network from exposing my internal network #1 in the event IIS is
hacked or compremised.

I have this configuration on 2 other web servers and they run fine with no
firewall just a pin hole in the pix for http traffic. I would love to just
keep the servers in the DMZ however for backups the 1 gig network is great
and the pix is only 100mb and we cant afford a new pix. I was hoping there
was a way to use the firewall to help ward off attackers that may have some
sort of IIS hack that may lead to remote execution code being run on my
server and exposing my internal network. Any information that i might be
able to use would be appreciated.




Network Card #1 172.X Internal network -> to internal network switch on
servers subnet.

Network Card #2 192.X vlan with network load balancing.external
work -> pix -> border router -> internet

Thanks in advance.

JD


.

Relevant Pages

  • Re: Controlling server security -- to domain or not to domain?
    ... > very least you have a bunch of servers physically on the network that each ... that is not connected to the internal network. ... connecting the DMZ to the internal network and making the server a domain ...
    (microsoft.public.security)
  • [fw-wiz] Defense in Depth to the Desktop
    ... network hardware mechanisms. ... controls is highlighted when the internal network and systems suffer ... The client subnet and the server ... Servers are allowed to reply to clients, ...
    (Firewall-Wizards)
  • Re: Two networking cards
    ... Ray ... > subnet to the servers in the .44 subnet and visa versa. ... > It may be the dual port network card is routing packets, ... so for the local network. ...
    (microsoft.public.windows.server.networking)
  • HowTo: Force the use of a certain IP address for Server-to_Server communication
    ... We have two SQL Server 2000 servers, running replication. ... Each machine has two network cards. ... Up to just now only the first card in each machine was being used ...
    (microsoft.public.sqlserver.connect)
  • Re: Morning! Two questions.
    ... I would disagree that allowing any direct access to an internal network ... I've locked down port 3389 on my enterprise firewall to only ... servers without using IPSEC vpn. ...
    (microsoft.public.windows.terminal_services)