Re: External Firewall with SBS 2003

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

In article <9D222239-D91C-4185-BBA8-2CD8ACD34203@xxxxxxxxxxxxx>,
ksheppard31@xxxxxxxxxxx says...
I'm currently running SBS 2003 Premium and using the default setup with ISA
2004 and twin NICs for my setup. We have purchased a new external firewall
appliance running pfSense and are in the process of setting-up a true DMZ
using this external device.

What specific brand/model?

I'd like to remove ISA 2004 from my SBS server
as it will longer be necessary. Should I also remove the two NIC setup and
plug the 192.168.16.2 NIC directly into that segment of the DMZ?

The Firewall Appliance should have TWO private networks, often called
the LAN and the DMZ.

On a real firewall the LAN and DMZ are just as secure as each other,
meaning that you create rules for any access to them/from them to other
networks (Public/LAN/DMZ).

A typical setup would be:

LAN 192.168.8.0/24
DMZ 192.168.16.0/24


My other
thought was to simply continue to use my SBS setup as it is and pass on the
necessary ports (25, 443, 444, 1723) to my external NIC on SBS from the DMZ
setup.

Your firewall appliance SHOULD be a PPTP Server, so you don't want SBS
to do the PPTP connection. This provides A LOT MORE SECURITY by having
the Firewall do the PPTP connection. By using the Firewall you can then
create rules that allow you to control what PORTS can be passed through
the PPTP connection - we normally limit users to TCP 3389 and then to
the IP of the Terminal Server or a small range of IP in the LAN.

If I do remove ISA 2004, what is the correct procedure? I'm
guessing that I need to re-launch the SBS setup wizard and remove it that
way. Also, what should I do with the Internet Connection Wizard on SBS once
I remove ISA and possibly the external NIC?

I can't help here, we never install ISA or Dual NIC solutions, we always
implement a firewall appliance as ISA is not certified on a non-
Dedicated MS Server box.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.

Relevant Pages

  • Re: Need help w/ multi homed server
    ... Personally, I wouldn't use the type of setup you described at all, instead I ... it's a MS SQL server) from the webserver, and only the webserver to the SQL ... The setup you are describing defeats the purpose of setting up a DMZ. ... We have two NICs in this machine that will be hosting this app. ...
    (microsoft.public.win2000.networking)
  • Re: Best practice to setup a DMZ? (hyperV and guests)
    ... this time with an edge server (its my understanding that the ... So my goal here is to setup this edge server for OCS and setup exchange 2010 ... correctly dmz wise (not clear on how that would be yet.. ... The most common setup is the back to back firewall model, where you have one firewall between the Internet and the DMZ and another between the DMZ and the LAN. ...
    (microsoft.public.windows.server.networking)
  • Re: ISA 2006 placement - looking for advice
    ... Thanks for the reply - wasn't looking to replace my existing firewall, ... Put it in DMZ with both NICs in the DMZ? ... "Bridge" between the DMZ segment and the internal segment? ...
    (microsoft.public.isa)
  • Re: ISA 2006 placement - looking for advice
    ... Thanks for the reply - wasn't looking to replace my existing firewall, ... Put it in DMZ with both NICs in the DMZ? ... "Bridge" between the DMZ segment and the internal segment? ...
    (microsoft.public.isa)
  • Re: Advice on a firewall distro
    ... ZyWALL unless they were intended for one of the servers (in the DMZ of the ... linux firewall). ... Setup the firewall to do stateful packet inspection. ...
    (comp.os.linux.networking)