Re: web server in DMZ? by Erik
Erik
Sat Oct 25 10:00:56 CDT 2003
Thanks all for the help. I'm afraid this is one of those "we bought the
software already, now help us make it work" situations. The main e-commerce
app has a Visual FoxPro database, hence the need for file access. I'm
thinking I could somehow create a single share that is locked down. But yes,
it's always more fun to make the best of a less-than-ideal situation than to
be in on the design from the start.....
"Chad A Gross [SBS-MVP]" <chad.gross@laytonflower.nospam.com> wrote in
message news:e84RALrmDHA.2000@TK2MSFTNGP12.phx.gbl...
> Hey Mark -
>
> With ISA, we can server publish an internal server but restrict the source
> IPs that we will accept connections from. Therefore, we can configure ISA
> to only accept inbound SQL traffic on 1433 from the web server's IP. In
> addition, if we put a hardware firewall/router between the webserver &
> internet connection, we have the advantage of completely blocking port
1433
> to the outside world as well as being able to configure ISA on only accept
> 1433 traffic from the web server's private non-routable IP.
>
> That works for SQL - but I'll admit that I'm a more than a little leery
> about having IIS access a file server on the LAN. No - I don't like that
> idea at all, because if we enable file access the web server may as well
be
> on the LAN. Hopefully Erik will post back with why he needs file access
> from the web server. With any luck, he'll only need static files that can
> be handled via an FTP server external to the LAN.
>
> --
> Chad A Gross [SBS-MVP]
>
> SBS ROCKS!!!
>
> Mark Mancini wrote:
> > chad,
> > How is his IIS going to get data from SQL and and file server behind
> > ISA....without opening up his whole LAN?
> >
> >
> > "Chad A Gross [SBS-MVP]" <chad.gross@laytonflower.nospam.com> wrote in
> > message news:ODb%23ezpmDHA.744@tk2msftngp13.phx.gbl...
> >> Hi Erik -
> >>
> >> Yes - you can do what you propose. I'll admit that I haven't had
> >> much experience with using a 3rd nic DMZ in ISA - and to be honest,
> >> I don't really like the idea. I can't offer any technical
> >> explanation - I've just got a bad gut feeling about it. If it were
> >> me, I think I'd put a hardware firewall/router on your perimeter
> >> (this doesn't have to necessarily be a Cisco, but I wouldn't go with
> >> a Linksys either - something mid-range). I would then set it up
> >> like so:
> >>
> >> Internet
> >> |
> >> |
> >> ------- Router -------
> >> | |
> >> ISA Web Server
> >> |
> >> LAN -----------
> >> | |
> >> SQL File Server
> >>
> >>
> >> You can then server-publish your SQL & file servers in ISA and
> >> restrict connections to the web server's non-routable IP. In order
> >> to do this, you will need to create a Client Address Set in ISA that
> >> includes the non-routable IP of the web server - then when you
> >> create your server publishing rules, you can restrict rule to only
> >> accecpt connections from this IP.
> >>
> >> --
> >> Chad A Gross [SBS-MVP]
> >>
> >> SBS ROCKS!!!
> >>
> >> Erik Cole wrote:
> >>> This is slighly out of the SBS realm, I know, but there are some
> >>> very sharp minds here....
> >>>
> >>> I have a client (non-SBS) with three servers in their lan: DC, file,
> >>> SQL. They are wanting to set up a web server for an IIS-based
> >>> e-commerce app that will need to access the SQL and file servers.
> >>> My question is, What is the best way to set this up without
> >>> overkill?
> >>>
> >>> I'm thinking something like:
> >>>
> >>>
> >>> internet
> >>> |
> >>> |
> >>> dedicated
> >>> isa box ---> web server in 192.168.x.x
> >>> |
> >>> |
> >>> LAN
> >>> 10.0.x.x
> >>> other servers
> >>>
> >>>
> >>> The IIS site on the web server will need to be remotely managed by
> >>> an outside party on occasion, (possibly by manually enabling TS
> >>> through the firewall only when req'd?) so I will need to really
> >>> strip this
> >>> box down before letting anyone access it.
> >>>
> >>> Can ISA be configured to allow SQL & virtual directory connections
> >>> ONLY from the web server's ip, perhaps even ONLY from IIS? Is there
> >>> a better way to do this?
> >>>
> >>> Thanks!
>
>