Re: SBS2003 Prem with member Web server
- From: "Charlie Russel - MVP" <charlie@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 16 Jul 2006 22:22:59 -0700
Sorry, I will buy behind. But not as a parallel back door, which is what the
OP describes.
--
Charlie.
http://msmvps.com/xperts64
Jim Harrison (MSFT) wrote:
Are we all done with the knee-jerk panic responses here?
Yes - adding a public server to your domain increases your domain attack
surface, but only as far as that attack surface is made available to the
public.
Specifically, Charlie mentions placing the web server external to ISA as
a mitigation technique - WHY?!?
If the web server is behind the ISA (domain member or not) and the
publishing rule configured properly, the server is actually safer there.
There is no requirement to join the public web server to a domain simply
because it resides on the internal LAN.
Or <gasp> add a NIC (or 802.1q VLAN) to the SBS server and place the web
server in the shiny new DMZ that it makes available to you and place the
web server there.
IOW, get off the "all or nothing" train and think the problem through
before responding.
--
--
Jim Harrison [ISA SE]
Read the help, books and articles!
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Charlie Russel - MVP" <charlie@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uVDeVQOqGHA.4608@xxxxxxxxxxxxxxxxxxxxxxx
So, you have a nice, secure SBS server sitting there, with ISA on it, and
all set up. Then you put a public WEB SERVER in there to bypass ISA
entirely
and give the world a back door to your network? No. Just say no.
If you must host your own public web site (a bad idea in lots of ways, and
not anything I'd do, certainly), then put it outside your ISA server, NOT
a
member of the domain.
rminnis82@xxxxxxxxxxx wrote:
Hello,
I have an SBS 2003 setup with ISA on a 192.168.16.* internal network,
with 10.0.0.* connected to the router. All works fine.
Int NIC
IP 192.168.16.2
subnet 255.255.255.0
DNS 192.168.16.2
WINS192.168.16.2
Ext NIC
IP 10.0.0.2
Suubnet 255.255.255.0
Gateway 10.0.0.138
DNS 192.168.16.2
WINS 192.168.16.2
This was setup by CEICW along with ISA 2004 and alworks as it should.
I have WIndows Server 2003 connected to the domain as a member server -
acting as a web server, with a static ip on the 192.169.16.* subnet and
an external NIc connected to the router as well.
Int NIC
IP 192.168.16.3 (static)
subnet 255.255.255.0
DNS 192.168.16.3
Ext NIC
IP 10.0.0.3
Subnet 255.255.255.0
Gateway 10.0.0.138
DNS {ISPDNS}
This all works fine.
NAT on my router points port 21, 80 and 443 to the member Web server,
with port 25 only going to the SBS.
OWA and RWW and companyweb all work perfectly internally.
I want to setup IIS on the member server to direct all external traffic
to the IIS on the SBS. I would like to do this without having to change
the ports on the SBS from 80 to 82 and just open port 82 on the router.
Just easier to type in your external IP/Exchange than
externalIP:82/Exchange...plus the configuration of ISA on top.
Is this possible?
I have tried setting up URL redirects in the member server IIS and
directing to the SBS IIS with little use.
Any ideas?
.
- Follow-Ups:
- Re: SBS2003 Prem with member Web server
- From: Jim Harrison \(MSFT\)
- Re: SBS2003 Prem with member Web server
- References:
- SBS2003 Prem with member Web server
- From: rminnis82
- Re: SBS2003 Prem with member Web server
- From: Charlie Russel - MVP
- Re: SBS2003 Prem with member Web server
- From: Jim Harrison \(MSFT\)
- SBS2003 Prem with member Web server
- Prev by Date: Re: SBS 2003 & imate K-JAM
- Next by Date: RE: Monitor vpn connections
- Previous by thread: Re: SBS2003 Prem with member Web server
- Next by thread: Re: SBS2003 Prem with member Web server
- Index(es):
Relevant Pages
|
