Re: Dual nic with DMZ via firewall

On Mar 27, 5:48 am, Leythos <V...@xxxxxxxxxxx> wrote:
On Tue, 27 Mar 2007 01:08:17 -0700, dsellinger wrote:
I will be installing sbs standard next week and I would like to setup
the WAN NIC to be in our firewalls DMZ. (currently zywall100 dmz port -
switch -> 2 web servers)

Are there any problems with this? Local web access should continue to
use firewall as gateway, but web facing sbs services like incoming
email or rww would be protected via DMZ firewall rules.

Somehow I feel a lot safer poking holes into the DMZ then onto the
LAN. But then the usual protection of the DMZ doesn't exist anymore.
If the SBS box is compromised then it also exists on the LAN so maybe
it makes no difference. I still think i would prefer to have SBS on
the DMZ so that it can use it's own IP address and not just share the
firewalls. I guess I would rather not have it's IP resolve to any
name either.

Also will there be routing problems with LAN users checking email etc.
if exchange is bound to an external IP?

Thanks for your suggestions/expertise .

(btw zywall100 is a good firewall with a real DMZ port)

No, it's not.

If you have the SBS Server in your DMZ and in your LAN, then you don't
really have a DMZ.

If you have the SBS server WAN port in the DMZ and your Firewalls LAN is
not used, then it's the same as using the LAN with the SBS Wan ports.

You do understand, if your firewall is a quality device that there is NO
difference between the firewall LAN and DMZ protection ability - they both
have rules, they both isolate traffic, they are no different in
functionality.

If you have a cheap, crappy, firewall device that really isn't a firewall,
the DMZ port just gets all traffic from the internet, it's not really
protected.

If you are trying to connect the firewall LAN port to your LAN and then
the Firewall DMZ port to your SBS WAN port, well, since the firewall now
has access to both networks there is no point and I would wager less
protection.

--
Leythos
spam999f...@xxxxxxxxxx (remove 999 for proper email address)

So is there any better way to isolate the public network functions of
SBS? What would a large corporate environment do? Would they have
one exchange server sitting in the DMZ and another in the LAN? Or
would a fortune 500 company be poking holes in their LAN firewall too?

.

Relevant Pages

  • Re: May need to move from SBS because of connection issues
    ... Just to make sure you are clear regarding port 4125, ... access remote systems and you are behind a firewall on a non-SBS network, ... established that RWW worked TO your SBS network from outside. ... have been proof that the required ports were forwarded to the SBS server. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS2008 Single Single NIC only
    ... Using the "DMZ" concept is probably the best idea. ... the rest of the network. ... Calyptic firewall has 3 extra ports that I can configure. ... You had to go thru the SBS firewall or Natting to get ...
    (microsoft.public.windows.server.sbs)
  • RE: Citrix and SBS 2003
    ... I'd like to confirm the steps you configure the port forwarding in SBS. ... Highlight NAT/Basic Firewall and you will see SBS server external ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: How do I forward ports?
    ... I assume that RRAS is utilized as the basic firewall since you are using ... TCP, fill in port 5900, inbound. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: forward port to IP when SBS is the router
    ... How do I check the ISA Server version? ... The SBS Server is the firewall. ... you will also have to allow the port through. ...
    (microsoft.public.windows.server.sbs)