Re: DMZ and file sharing

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

These files are being generated all the time by the users daily and stored
on the LAN, they need regular access to them to be able to update them
etc... (so having them access them on the webserver seems unwieldy to me).
Also having the users being responsible for updating the webserver files
with ftp might prove a bit difficult.

Using robocopy and creating a schedule for it, means the users never even
need to know that the files are being copied to the webserver in the
background and so would prove a better solution for me.

I''ve never used robocopy before, but if it can use ftp to update the
webserver would that be a better solution than a file share on the DMZ? Is
allowing file share from LAN to DMZ any worse than ftp from LAN to DMZ?

Thanks.

"Leythos" <void@xxxxxxxxxxx> wrote in message
news:hTOsg.22997$vl5.13418@xxxxxxxxxxxxxxxxxxxxxxxxx
In article <#qAoPfMpGHA.2256@xxxxxxxxxxxxxxxxxxxx>,
josephbyrns@xxxxxxxxx says...
Lots of interesting conversation. So far as viable means of transfering
files between the webserver and the LAN I have:
1) Email (possible but fiddly)
2) File sharing DMZ to LAN (apparently completey unnacceptable)
3) A second NIC in the WebServer, presumably with some kind of software
firewall between them, perhaps ISA 2004 would work in situation. (this is
a
more expensive option and I would rather not do it, and it means there is
a
direct link between the second NIC and the LAN (likely on the same
subnet/network))

How about allow file sharing from the LAN to the DMZ (one way only)?
That
way people in the LAN can get access to the WebServer files, the
webserver
can get access to the files locally and nobody in the DMZ can get access
to
files in the LAN?

Any other options?

The files are not of a particularly sensitive nature.

Why not put the files in a folder on a virtual directory (web) that
allows only access from IP in your LAN, then users can Browse to the DMZ
web server from the LAN and see the folder structure via a browser and
then download them to their PC's as needed.

You could also setup FTP and pass it through - using firewall rules that
limit access.

I have a virtual directory on a webserver called "SharedFiles" and it's
setup to allow browsing of the files - it allows remote users to browse
the folders in IE on the web server, but instead of limiting access by
IP I limited it by creating a user/password on the Web Server (and then
setting up SSL to that location) - the user/password is generic and not
specific to any one user.

To put files in that virtual folder I use FTP, and I run File Zilla
server on the web server so that I don't have to deal with the
limitations of MS's FTP.


Thanks.

"Leythos" <void@xxxxxxxxxxx> wrote in message
news:h1Fsg.25274$u11.20928@xxxxxxxxxxxxxxxxxxxxxxxxx
In article <OQBfzPHpGHA.3564@xxxxxxxxxxxxxxxxxxxx>, thetrev68 @
hotmail.com says...
Joseph,

We added an extra network card on the webserver and the application
server
in our network, ran a crossover cable between them, and locked down
the
traffic so only very very specific things could travel through that
connection (it's actually hitting an SQL database).

I have no idea what others would think of this solution or how it
compares
to other alternatives, but it works well for us.

What did you use to "Lock down the traffic" between the two NIC's?

My guess is that you didn't really lock it down, but just think you
did.

If you are using any form of Windows Authentication or any Active
Directory link between the two servers then you've got NO security.

The Database connection should be by a database user account, not a
windows account - and you only need TCP/1433 to map that.

--

spam999free@xxxxxxxxxx
remove 999 in order to email me




--

spam999free@xxxxxxxxxx
remove 999 in order to email me


.

Relevant Pages

  • Re: Joining web server to SBS domain - any pre-cautions?
    ... I'm trying to plan for joining our web server (Server 2003 Std. ... You should have a REAL FIREWALL APPLIANCE, ... A single public IP can provide HTTP access for the DMZ Network and also ... If you firewall has a DMZ and it's in the same Subnet as the LAN, ...
    (microsoft.public.windows.server.sbs)
  • Re: DMZ =?ISO-8859-15?Q?Verst=E4ndnis?=
    ... Bedeutet DMZ eigentlich immer, ... Firewall gesteuert: ... In der DMZ befindet sich der Rechner auf dem der Webserver läuft. ... LAN -> Internet ...
    (de.comp.security.firewall)
  • Re: DMZ - Question
    ... increase security if not with a DMZ? ... Replicate the data your webserver needs to access from the mainframe ... A host that belongs physically to the DMZ, but logically to the LAN. ... server as a bastion host would allow it to be accessible from the ...
    (Security-Basics)
  • Re: Do I need a DMZ for the public webservers ? (ISA2004)
    ... > LAN, now, one day, someone discovers some kind of bug ... > server sitting on a DMZ, in such a case the attacker would just ... actaully "allowed in" to access the Web Server. ... a seperarate internal connection to the webserver. ...
    (microsoft.public.isaserver)
  • Re: Is NFS export r/o safe from lan to dmz?
    ... than the portmap/nfsd deamons) web server on the machine hawing the ... The reverse proxy would be another barrier between wan and lan, ... the nfs export would be. ... make the lan webserver accessible to script exploits etc. Webservers are ...
    (Debian-User)