Re: Accessing server in DMZ

From: Darren Woodford (darrenw_at_nospamme.woodfordcomputers.co.uk)
Date: 04/20/04


Date: Tue, 20 Apr 2004 14:51:25 +0100

I do not know how to prevent the authentication issue but if it needs to be
publically accessed from the internet then I would not have it as part of
your domain. A compromise of the web server (only a matter of time) will
then expose your entire domain. Not nice. I wouldn't consider this as a
workaround unless internet users are using VPN to access the web server.

This might be a silly question but do the LAN users need to connect to the
web sites on the web server or other resources/applications? From the
information so far I would guess at an IIS configuration issue which is
where I get out of my depth I'm afraid.
Have you tried accessing it from the internet yet? I would try putting a
workstation in the DMZ and seeing if that can connect to the web server to
try and narrow down the problem.
Hope you get it resolved.
Regards
Darren

"Les Connor [SBS MVP]" <les.connor@DEL.cfive.ca> wrote in message
news:ODjCdGnJEHA.2580@TK2MSFTNGP12.phx.gbl...
> Users from the internet - are these domain users accessing remotely ? Or
> does it host a public web site that unauthenticated users can access?
>
> If they're domain users, then you're probably best bringing this into the
> lan and making it a member server.
>
> Even better, could you fully explain what it is you need to accomplish ? I
> think there are others here who will be able to assist you much more
> efficiently than I can, but I think a better understanding of the
objectives
> would be required.
>
> --
> Les Connor [SBS MVP]
> -------------------------------------
> SBS Rocks !
>
>
>
> "TRD" <tdejohnx2@hotmail.com> wrote in message
> news:uqhoxwmJEHA.3084@TK2MSFTNGP10.phx.gbl...
> > No it is accessed from users on the internet and users on the LAN.
> >
> > "Les Connor [SBS MVP]" <les.connor@DEL.cfive.ca> wrote in message
> > news:edudTmbJEHA.3628@TK2MSFTNGP12.phx.gbl...
> > > Hi TRD,
> > >
> > > So is this webserver intended to be publicly accessible ? I mean by
> > > unauthenticated users from the internet side? It seems not, and if
> that's
> > > the case then why not make it a member server (inside the lan)? It can
> > still
> > > be reached from the internet this way, but only by authenticated
users.
> > >
> > > --
> > > Les Connor [SBS MVP]
> > > -------------------------------------
> > > SBS Rocks !
> > >
> > >
> > >
> > > "TRD" <tdejohnx2@hotmail.com> wrote in message
> > > news:utQNuPaJEHA.1192@TK2MSFTNGP11.phx.gbl...
> > > > Les,
> > > >
> > > > Thanks for sticking with me throught this. The Web Server is on a
> > seperate
> > > > subnet from the one the SBS Server and the rest of the workstations
> are
> > > on.
> > > >
> > > > The credential prompt is from the Web Server. The workstations have
to
> > > first
> > > > browse (\\webserver\) the Web Server before they can use the third
> > party
> > > > ap. Since the workstations are on the domain and the Web Server is
in
> > its
> > > > own workgroup when the workstations try to browse the Web Server it
> asks
> > > > them to authenticate first. That is part of the problem.
> > > >
> > > >
> > > > TRD
> > > >
> > > > "Les Connor [SBS MVP]" <les.connor@DEL.cfive.ca> wrote in message
> > > > news:%23Vq6VwIJEHA.2388@TK2MSFTNGP10.phx.gbl...
> > > > > Hi TRD,
> > > > >
> > > > > If you do have it set up as in my ugly picture, then it should be
on
> a
> > > > > different subnet.
> > > > >
> > > > > The credentials prompt - is it coming from the web server, or from
> > your
> > > > sbs
> > > > > ? If it's from the web server, I'd think you need to do something
to
> > the
> > > > > authentication settings for the web site there.
> > > > >
> > > > > --
> > > > > Les Connor [SBS MVP]
> > > > > -------------------------------------
> > > > > SBS Rocks !
> > > > >
> > > > >
> > > > >
> > > > > "TRD" <tdejohnx2@hotmail.com> wrote in message
> > > > > news:uqVnyNIJEHA.3120@TK2MSFTNGP09.phx.gbl...
> > > > > > Les-
> > > > > >
> > > > > > Thanks for your reply. That is how I have it setup now. I am
just
> > > unsure
> > > > > as
> > > > > > to whether to have the web server join the domain or be in a
stand
> > > alone
> > > > > > workgroup. The clients on the LAN have to access it but if it is
> in
> > > its
> > > > on
> > > > > > workgroup they have to provide authentication before they can
> browse
> > > the
> > > > > > computer. The only way I know to fix that is by having the web
> > server
> > > > join
> > > > > > the domain. Any suggestions
> > > > > >
> > > > > > TRD
> > > > > >
> > > > > >
> > > > > >
> > > > > > "Les Connor [SBS MVP]" <les.connor@DEL.cfive.ca> wrote in
message
> > > > > > news:OL%239zEAJEHA.2440@TK2MSFTNGP12.phx.gbl...
> > > > > > > Hi TRD,
> > > > > > >
> > > > > > > I presume the web server must be accessible from the internet
?
> > > Here's
> > > > > > what
> > > > > > > I'd do.
> > > > > > >
> > > > > > > Two nic setup in the SBS, internal connected to the lan
> > hub/switch,
> > > > > > external
> > > > > > > connected to a soho router with a DMZ port, and router wan
> > connected
> > > > to
> > > > > > the
> > > > > > > internet.
> > > > > > >
> > > > > > > Connect the web server to the DMZ port on the router.
> > > > > > >
> > > > > > > Use the router to port forward the SBS required ports to the
SBS
> > > > > external
> > > > > > > nic, and everything else goes to the Web server. Or, you
> probably
> > > > don't
> > > > > > > really need the Web server that exposed, just forward the
ports
> > you
> > > > need
> > > > > > to
> > > > > > > it.
> > > > > > >
> > > > > > > I'm not good at drawing pictures with text, so I hope you can
> > > > visualize
> > > > > > ;-).
> > > > > > >
> > > > > > > Internet Cloud
> > > > > > > |
> > > > > > > Router wan with public IP.
> > > > > > > Router lan 10.0.0.1 - Web Server 10.0.0.3 - Router forwards
> ports
> > > you
> > > > > > want.
> > > > > > > |
> > > > > > > SBS external nic 10.0.0.2 - router forwards ports you want.
> > > > > > > SBS internal nic 192.168.16.2
> > > > > > > |
> > > > > > > Hub/Switch - lan clients 192.168.16.x.
> > > > > > >
> > > > > > > --
> > > > > > > Les Connor [SBS MVP]
> > > > > > > -------------------------------------
> > > > > > > SBS Rocks !
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > "TRD" <tdejohnx2@hotmail.com> wrote in message
> > > > > > > news:u3w0xv9IEHA.3840@TK2MSFTNGP11.phx.gbl...
> > > > > > > > I have a SBS2k3 network that has client computers that need
to
> > > > access
> > > > > a
> > > > > > > > win2k3 web server in a DMZ using a proprietary software. The
> > > > software
> > > > > > will
> > > > > > > > connect to this web server as long as I first go to start
and
> > run
> > > > and
> > > > > > > type
> > > > > > > > in \\webserver and then type in a username and password to
> > browse
> > > > the
> > > > > > web
> > > > > > > > server. The web server is in a standalone workgroup right
now.
> I
> > > > think
> > > > > > if
> > > > > > > I
> > > > > > > > add the web server to the domain this problem will go away
> > because
> > > > all
> > > > > > the
> > > > > > > > authentication is done on the DC. But then how secure is the
> > > SBS2k3
> > > > > > server
> > > > > > > > if the web server were to get hacked?? Is there an easier
way
> to
> > > set
> > > > > > this
> > > > > > > up
> > > > > > > > to work??
> > > > > > > >
> > > > > > > > The SBS2k3 box has the dual NIC setup and I have setup the
DMZ
> > NIC
> > > > > with
> > > > > > > > Client for microsoft networks and file and print sharing as
> well
> > > as
> > > > > > > enabled
> > > > > > > > netbios over tcp so that the clients can communicate with
the
> > web
> > > > > > server.
> > > > > > > Is
> > > > > > > > this the best way to do this???
> > > > > > > >
> > > > > > > >
> > > > > > > > TIA
> > > > > > > >
> > > > > > > > TRD
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>