Re: 2 NICs Configuration Problem

See this diagram which shows more clearly what I am talking about.
Servers on the DMZ are public, not private.

http://www.ssimail.com/Zoneguard.htm

"Bill Grant" <not.available@online> wrote in message
news:OQoc3bCfHHA.2332@xxxxxxxxxxxxxxxxxxxxxxx
It also explains why your server cannot access the Internet. The firewall
provides NAT for the LAN machines, allowing them to reach the Internet
using the firewall's public IP. Machines in the DMZ are not behind the
NAT, so they neeed a routable public IP to access the Internet directly.
Private IPs cannot cross the Internet. The Internet routers are programmed
to drop packets with private IP addresses.

"Bill Grant" <not.available@online> wrote in message
news:ujpccDBfHHA.2396@xxxxxxxxxxxxxxxxxxxxxxx
That clears up the setup, but it doesn't really mean that you are not
bypassing the firewall. Connecting a server to the DMZ port is
effectively bypassing firewall filtering to that server. That is what it
is for - to allow a direct connection to the Internet. If that server
also has a NIC in the LAN, then the LAN is at risk.

"Paul" <paulbockmann@xxxxxxxxxxxxx> wrote in message
news:3B644E6F-2C5B-4ADF-8881-E3BED511E56C@xxxxxxxxxxxxxxxx
Firstly, nothing is bypassing the firewall - SB2003 server
(192.168.16.2) is
behind the firewall on the LAN port (192.168.16.1); The multihome server
(192.168.16.3 internal & 192.168.20.2 external) is behind the firewall
on the
DMZ port (192.168.20.1).

The SBS2003 server is physically connected to the LAN switch.
The multihome's internal nic is connected to the switch and its external
is
connected to the DMZ port on the firewall.
The switch is connected to the LAN port on the firewall.

Hope this clears things up. Again, no errors, all lan connectivity is
good,
just cant get the multihome to get out to the internet on its external
nic.
Talked to Sonicwall and they inform me that there is nothing blocking
the DMZ
outbound - so it should go.
Thanks
Paul
--
Paul Bockmann


"Bill Grant" wrote:

That all looks pretty dicey to me. Having a server on the LAN which
bypasses the firewall is never a good idea. What is the external NIC on
the
multihomed server physically connected to? Is the 192.168.20 network
your
DMZ?

"Paul" <paulbockmann@xxxxxxxxxxxxx> wrote in message
news:E0CB6183-B201-4D92-A24D-737A4F1C8857@xxxxxxxxxxxxxxxx
I have seen a number of write-ups on this - good and bad, but none
seem to
make my situation work.
So, I have an SBS2003 (no ISA) with 1 nic > switch > Firewall LANport
>
Internet as follows:

Host Name . . . . . . . . . . . . : thor
Primary Dns Suffix . . . . . . . : Removersgroup.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : Removersgroup.local

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.19
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Server Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port
Network Co
nnection
Physical Address. . . . . . . . . : 00-03-47-30-63-68
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.16.1
DNS Servers . . . . . . . . . . . : 192.168.16.2
Primary WINS Server . . . . . . . : 192.168.16.2
*******************************************
I would like to add amember server2003 with 2 nics - 1 for Internal >
switch(WSUS, Backup Exec, Aux storage) and 1 for External > Firewall
DMZ
port (websites, WSUS updates) as follows:

Host Name . . . . . . . . . . . . : Quigley
Primary Dns Suffix . . . . . . . : Removersgroup.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Removersgroup.local

Ethernet adapter DMZ:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port
Network Co
nnection
Physical Address. . . . . . . . . : 00-03-47-32-EE-EF
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.20.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.1
DNS Servers . . . . . . . . . . . : 192.168.16.2
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port
Network Co
nnection #2
Physical Address. . . . . . . . . : 00-03-47-32-EE-EE
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.16.2
Primary WINS Server . . . . . . . : 192.168.16.2

Right now I am unable to connect to the internet via the External nic
on
the
webserver, although website service runs fine. I can also tie into
the
webserver over the LAN with no problems. All in all, everything but
the
ability to call out to the internet via the webservers external nic
(192.168.20.2) works great; Unfortunately I would like to have WSUS
updates
follow this path.
I do not have DNS, WINS, or RRAS setup on the member server2003. I
am
getting no errors to post here so I am somewhat at a loss - please
help.
Thanks
Paul


--
Paul Bockmann









.

Relevant Pages

  • Re: Can only connect to local RWW, over internet cannot
    ... OK, so now we know RWW works, and it is a function within RWW, the ability ... to 'Connect to Server' which is problematic, from inside the LAN. ... The 'Connect to server desktops' and 'Connect to my computer at work' ... RDP Proxy dynamically opens the connection to the requesting IP so at this ...
    (microsoft.public.windows.server.sbs)
  • Re: Possible to secure WEP?
    ... It doesn't have to be a "server". ... this IP cannot be in the same class C IP block as your own LAN. ... To keep it simple, my gateway router, ... Ethernet adapter Local Area Connection: ...
    (alt.internet.wireless)
  • Re: Web portal security
    ... win2003 standard server with IIS, SSL enabled and will be placed on ... So I will be fwding port 443 in firewall to my DMZ port. ... Well, assuming you are going to use teh SQL database from SBS, you can ... subnet than my LAN and map one to one from firewall to dmz. ...
    (microsoft.public.windows.server.sbs)
  • Re: Where to put the server
    ... Put the 2003 IIS Server in the DMZ. ... SBS box or another LAN server. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Dial-up ICS settings = Configuration Problems
    ... On Machine #1 have you told it that it is to share its Internet connection? ... Double click on your LAN connection ... IntelPRO/100 VE Network Connection - Packet Scheduler Miniport ... Primary WINS Server: 0.0.0.0 ...
    (microsoft.public.windowsxp.network_web)