# Re: Accessing server in DMZ

From: Darren Woodford (darrenw_at_nospamme.woodfordcomputers.co.uk)
Date: 04/20/04

```Date: Tue, 20 Apr 2004 14:51:25 +0100

```

I do not know how to prevent the authentication issue but if it needs to be
publically accessed from the internet then I would not have it as part of
your domain. A compromise of the web server (only a matter of time) will
then expose your entire domain. Not nice. I wouldn't consider this as a
workaround unless internet users are using VPN to access the web server.

This might be a silly question but do the LAN users need to connect to the
web sites on the web server or other resources/applications? From the
information so far I would guess at an IIS configuration issue which is
where I get out of my depth I'm afraid.
Have you tried accessing it from the internet yet? I would try putting a
workstation in the DMZ and seeing if that can connect to the web server to
try and narrow down the problem.
Hope you get it resolved.
Regards
Darren

"Les Connor [SBS MVP]" <les.connor@DEL.cfive.ca> wrote in message
news:ODjCdGnJEHA.2580@TK2MSFTNGP12.phx.gbl...
> Users from the internet - are these domain users accessing remotely ? Or
> does it host a public web site that unauthenticated users can access?
>
> If they're domain users, then you're probably best bringing this into the
> lan and making it a member server.
>
> Even better, could you fully explain what it is you need to accomplish ? I
> think there are others here who will be able to assist you much more
> efficiently than I can, but I think a better understanding of the
objectives
> would be required.
>
> --
> Les Connor [SBS MVP]
> -------------------------------------
> SBS Rocks !
>
>
>
> "TRD" <tdejohnx2@hotmail.com> wrote in message
> news:uqhoxwmJEHA.3084@TK2MSFTNGP10.phx.gbl...
> > No it is accessed from users on the internet and users on the LAN.
> >
> > "Les Connor [SBS MVP]" <les.connor@DEL.cfive.ca> wrote in message
> > news:edudTmbJEHA.3628@TK2MSFTNGP12.phx.gbl...
> > > Hi TRD,
> > >
> > > So is this webserver intended to be publicly accessible ? I mean by
> > > unauthenticated users from the internet side? It seems not, and if
> that's
> > > the case then why not make it a member server (inside the lan)? It can
> > still
> > > be reached from the internet this way, but only by authenticated
users.
> > >
> > > --
> > > Les Connor [SBS MVP]
> > > -------------------------------------
> > > SBS Rocks !
> > >
> > >
> > >
> > > "TRD" <tdejohnx2@hotmail.com> wrote in message
> > > news:utQNuPaJEHA.1192@TK2MSFTNGP11.phx.gbl...
> > > > Les,
> > > >
> > > > Thanks for sticking with me throught this. The Web Server is on a
> > seperate
> > > > subnet from the one the SBS Server and the rest of the workstations
> are
> > > on.
> > > >
> > > > The credential prompt is from the Web Server. The workstations have
to
> > > first
> > > > browse (\\webserver\) the Web Server before they can use the third
> > party
> > > > ap. Since the workstations are on the domain and the Web Server is
in
> > its
> > > > own workgroup when the workstations try to browse the Web Server it
> > > > them to authenticate first. That is part of the problem.
> > > >
> > > >
> > > > TRD
> > > >
> > > > "Les Connor [SBS MVP]" <les.connor@DEL.cfive.ca> wrote in message
> > > > news:%23Vq6VwIJEHA.2388@TK2MSFTNGP10.phx.gbl...
> > > > > Hi TRD,
> > > > >
> > > > > If you do have it set up as in my ugly picture, then it should be
on
> a
> > > > > different subnet.
> > > > >
> > > > > The credentials prompt - is it coming from the web server, or from
> > your
> > > > sbs
> > > > > ? If it's from the web server, I'd think you need to do something
to
> > the
> > > > > authentication settings for the web site there.
> > > > >
> > > > > --
> > > > > Les Connor [SBS MVP]
> > > > > -------------------------------------
> > > > > SBS Rocks !
> > > > >
> > > > >
> > > > >
> > > > > "TRD" <tdejohnx2@hotmail.com> wrote in message
> > > > > news:uqVnyNIJEHA.3120@TK2MSFTNGP09.phx.gbl...
> > > > > > Les-
> > > > > >
> > > > > > Thanks for your reply. That is how I have it setup now. I am
just
> > > unsure
> > > > > as
> > > > > > to whether to have the web server join the domain or be in a
stand
> > > alone
> > > > > > workgroup. The clients on the LAN have to access it but if it is
> in
> > > its
> > > > on
> > > > > > workgroup they have to provide authentication before they can
> browse
> > > the
> > > > > > computer. The only way I know to fix that is by having the web
> > server
> > > > join
> > > > > > the domain. Any suggestions
> > > > > >
> > > > > > TRD
> > > > > >
> > > > > >
> > > > > >
> > > > > > "Les Connor [SBS MVP]" <les.connor@DEL.cfive.ca> wrote in
message
> > > > > > news:OL%239zEAJEHA.2440@TK2MSFTNGP12.phx.gbl...
> > > > > > > Hi TRD,
> > > > > > >
> > > > > > > I presume the web server must be accessible from the internet
?
> > > Here's
> > > > > > what
> > > > > > > I'd do.
> > > > > > >
> > > > > > > Two nic setup in the SBS, internal connected to the lan
> > hub/switch,
> > > > > > external
> > > > > > > connected to a soho router with a DMZ port, and router wan
> > connected
> > > > to
> > > > > > the
> > > > > > > internet.
> > > > > > >
> > > > > > > Connect the web server to the DMZ port on the router.
> > > > > > >
> > > > > > > Use the router to port forward the SBS required ports to the
SBS
> > > > > external
> > > > > > > nic, and everything else goes to the Web server. Or, you
> probably
> > > > don't
> > > > > > > really need the Web server that exposed, just forward the
ports
> > you
> > > > need
> > > > > > to
> > > > > > > it.
> > > > > > >
> > > > > > > I'm not good at drawing pictures with text, so I hope you can
> > > > visualize
> > > > > > ;-).
> > > > > > >
> > > > > > > Internet Cloud
> > > > > > > |
> > > > > > > Router wan with public IP.
> > > > > > > Router lan 10.0.0.1 - Web Server 10.0.0.3 - Router forwards
> ports
> > > you
> > > > > > want.
> > > > > > > |
> > > > > > > SBS external nic 10.0.0.2 - router forwards ports you want.
> > > > > > > SBS internal nic 192.168.16.2
> > > > > > > |
> > > > > > > Hub/Switch - lan clients 192.168.16.x.
> > > > > > >
> > > > > > > --
> > > > > > > Les Connor [SBS MVP]
> > > > > > > -------------------------------------
> > > > > > > SBS Rocks !
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > "TRD" <tdejohnx2@hotmail.com> wrote in message
> > > > > > > news:u3w0xv9IEHA.3840@TK2MSFTNGP11.phx.gbl...
> > > > > > > > I have a SBS2k3 network that has client computers that need
to
> > > > access
> > > > > a
> > > > > > > > win2k3 web server in a DMZ using a proprietary software. The
> > > > software
> > > > > > will
> > > > > > > > connect to this web server as long as I first go to start
and
> > run
> > > > and
> > > > > > > type
> > > > > > > > in \\webserver and then type in a username and password to
> > browse
> > > > the
> > > > > > web
> > > > > > > > server. The web server is in a standalone workgroup right
now.
> I
> > > > think
> > > > > > if
> > > > > > > I
> > > > > > > > add the web server to the domain this problem will go away
> > because
> > > > all
> > > > > > the
> > > > > > > > authentication is done on the DC. But then how secure is the
> > > SBS2k3
> > > > > > server
> > > > > > > > if the web server were to get hacked?? Is there an easier
way
> to
> > > set
> > > > > > this
> > > > > > > up
> > > > > > > > to work??
> > > > > > > >
> > > > > > > > The SBS2k3 box has the dual NIC setup and I have setup the
DMZ
> > NIC
> > > > > with
> > > > > > > > Client for microsoft networks and file and print sharing as
> well
> > > as
> > > > > > > enabled
> > > > > > > > netbios over tcp so that the clients can communicate with
the
> > web
> > > > > > server.
> > > > > > > Is
> > > > > > > > this the best way to do this???
> > > > > > > >
> > > > > > > >
> > > > > > > > TIA
> > > > > > > >
> > > > > > > > TRD
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

## Relevant Pages

• Re: Virtual Directory to a remote UNC not working properly
... not auto-login to Internet address by default. ... it eventually accesses a page with NAS URL that looks ... My current authentication method on the Web Server is only set to Integrated ... need to open more holes in the firewall to allow RPC and UNC ports as ...
(microsoft.public.inetserver.iis.security)
• Re: Virtual Directory to a remote UNC not working properly
... The reason you get a login popup from Intranet is because browsers do ... not auto-login to Internet address by default. ... it eventually accesses a page with NAS URL that looks ... My current authentication method on the Web Server is only set to Integrated ...
(microsoft.public.inetserver.iis.security)
• Re: Webserver, DMZ, ports questions
... Internet accesible services like SMTP have a seperate ... DMZ or a third interface in the firewall. ... As far as source / destination ports goes. ... from the internet to my web server, ...
(Focus-Microsoft)
• Re: fileshare on my website
... the right ports open... ... mention fileshares in the subject and included the sbs machine in the ... internet account does not have access to the share on the sbs machine. ... the documents you want outside users to see to somewhere on the web server ...
(microsoft.public.inetserver.iis.security)
• Re: Virtual Directory to a remote UNC not working properly
... which works for both the intranet and internet. ... it eventually accesses a page with NAS URL that looks ... My current authentication method on the Web Server is only set to Integrated ...
(microsoft.public.inetserver.iis.security)