Re: IP Relay/NAT set up on W2K3
- From: "Phillip Windell" <philwindell@xxxxxxxxxxx>
- Date: Fri, 31 Aug 2007 13:39:58 -0500
"Mike Michael" <MikeMichael@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E62F137F-AD67-48E8-A3C2-EFB68DD76D02@xxxxxxxxxxxxxxxx
We have an IP on a Windows 2K3 server in our DMZ. We need to allow a type
of
automated process to access an internal server via a specific port. The
network/security folks do not want to just NAT on the firewall, they want
to
NAT on the perimeter, then "proxy" the connection to the internal server.
So,
since I happen to have a Windows server in the DMZ which already accesses
said internal server, my straw was drawn.
External client > firewall > my windows box in DMZ > firewall > internal
server
And in this hypothetical/make believe scenario, the W2K3 server would
accept
the connection and redirect to the internal server (is that proxy or
relay?).
1. They cannot choose to "not" NAT at the firewall,...it isn't a choice, it
is a requirement,...the firewall is "in the way", and the only way into the
LAN is via it.
2. You can't proxy without a Proxy. You do not have a proxy. The only real
"proxy-based" Firewall product on the market worth mentioning right now
(that would fit this situation) is MS ISA Server. It is designed to
*replace* one or both of those Firewalls, not sit on the middle of the DMZ
3. This is a Back-to-Back DMZ built between two Firewalls,..an Inner
Firewall and an Outer Firewall. These firewalls, particulrly if they are
Applicances, are just simply NAT Boxes. We can debate all day about what
features they have or don't have,...but they are just NAT Boxes.
So there is only one way to get inbound traffic from a user on the "outside"
to a resource on the "inside".
Step 1. The Outer Firewall does a Static NAT (aka Reverse NAT) back to
the Inner Firewall
Step 2. The Inner Firewall does a Static NAT (aka Reverse NAT) back to
the Resource on the "inside".
The Reverse NAT should only respond to traffic directed at the required
Initial Connection Port of the Application/Service being used. This is
almost always a single number. The random Client Source Ports do not have
to be accounted for on modern Firewalls that monitor the state of the
Session.
Adding anything in the center of the DMZ to pass the traffic through is
totally pointless, it doesn't accomplish anything and only over complicates
things and creates yet another way/place for the whole thing to fail.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
.
- Prev by Date: Re: 2 Domain Controllers and Exchange
- Next by Date: Re: IPCONFIG /ALL shows multiple gateways under one interface?
- Previous by thread: Expanding Subnet
- Index(es):
Relevant Pages
|
