Member server in DMZ

[Brad Rossiter]

Simple problem, how do I properly setup a Member server
in a DMZ (Say for a Exchange 2000 OWA server)?

NOT SO SIMPLE ANSWER so far. 5 hours on the phone with
5 different MS engineers and they are not even close to
giving me an answer.

I've opened up all the ports as described in 280132
(Exchange 2000 connectivity though a firewall). All that
is fine.

REAL PROBLEM IS THIS. The DNS reply back from the
Internal network DNS server gives back Internal
addresses. Thus any time DNS is required communication
back to the Internal network does not work. Remember
Windows 2000 Active directory requires lots of DNS
records.

This problem has been solved by my company (an IT service
company) in the past by using DNS doctoring on the Pix
firewall itself (the firewall catches DNS replies and
changes the payload/response to the public address).
However not all firewall appear to support this
(Sonicwall Pro this time).

I have thought of using an IPSec tunnel from the dmz
member server (it's an OWA 2000 server). However that
seems much more complicated than necessary. How about a
way in Windows 2000 DNS to respond based on where the
request came from (such as a 'view').

If you have any suggestions, please contact my e-mail
above. MS is failing to give anything other than 'setup
a DNS server in the DMZ'. THIS IS SO STUPID I CAN'T EVEN
COMPREHEND IT. And no LMHOSTS AND HOSTS don't do a dam
thing for Windows 2000 Active Directory service records.

Thank You,
Brad Rossiter
Network Engineer

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Simple problem, how do I properly setup a Member server
in a DMZ (Say for a Exchange 2000 OWA server)?

NOT SO SIMPLE ANSWER so far. 5 hours on the phone with
5 different MS engineers and they are not even close to
giving me an answer.

I've opened up all the ports as described in 280132
(Exchange 2000 connectivity though a firewall). All that
is fine.

REAL PROBLEM IS THIS. The DNS reply back from the
Internal network DNS server gives back Internal
addresses. Thus any time DNS is required communication
back to the Internal network does not work. Remember
Windows 2000 Active directory requires lots of DNS
records.

This problem has been solved by my company (an IT service
company) in the past by using DNS doctoring on the Pix
firewall itself (the firewall catches DNS replies and
changes the payload/response to the public address).
However not all firewall appear to support this
(Sonicwall Pro this time).

I have thought of using an IPSec tunnel from the dmz
member server (it's an OWA 2000 server). However that
seems much more complicated than necessary. How about a
way in Windows 2000 DNS to respond based on where the
request came from (such as a 'view').

If you have any suggestions, please contact my e-mail
above. MS is failing to give anything other than 'setup
a DNS server in the DMZ'. THIS IS SO STUPID I CAN'T EVEN
COMPREHEND IT. And no LMHOSTS AND HOSTS don't do a dam
thing for Windows 2000 Active Directory service records.

Thank You,
Brad Rossiter
Network Engineer

If you have a firewall between your member server and your DC you need a VPN
between the two or you will have to open so many ports in the firewall it
will be like swiss cheese.
Your stuck with using the VPN or making the machine in the DMZ a standalone
server.

 

[brad rossiter]

I solved this by using a PIX 515E firewall and doing DNZ
doctoring (of sort). And opening up ports does not do a
damm thing to solve this problem. You can open them all
and it does not help one bit. The problem has NOTHING to
do with ports. The problem is that MS has no flipping
clue about DMZ's and apparently neither does most of the
IT community.

MS had suggested a IPSec tunnel between any member server
in the DMZ to each server on the inside of the network.
While I can't dismiss this as TOTALLY STUPID, I can say
that if someone owned the box then they would own the
IPSec tunnel.. So that kinda goes back to the TOTALLY
STUPID I trying not to use.

The freeking point is that you can't really trust
computers in your DMZ or the internet as they can be
compromised...

Anyway, this situation is so stupid it's just about
making our security team implode. The Microsoft
security training I just went to was pathetic. SUS is
their answer to half the security problems..

 

[Kevin Goodknecht]

In

I solved this by using a PIX 515E firewall and doing DNZ
doctoring (of sort). And opening up ports does not do a
damm thing to solve this problem. You can open them all
and it does not help one bit. The problem has NOTHING to
do with ports. The problem is that MS has no flipping
clue about DMZ's and apparently neither does most of the
IT community.

MS had suggested a IPSec tunnel between any member server
in the DMZ to each server on the inside of the network.
While I can't dismiss this as TOTALLY STUPID, I can say
that if someone owned the box then they would own the
IPSec tunnel.. So that kinda goes back to the TOTALLY
STUPID I trying not to use.

If you want to put a member in the DMZ it is the only way, whether you think
the tunnel is stupid or not. It is the only way without comprimising you
entire network. This goes double for Exchange because Exchange uses LDAP to
access the Global Catalog.

The freeking point is that you can't really trust
computers in your DMZ or the internet as they can be
compromised...

I don't think anyone recommended you do this, certainly not me.

Anyway, this situation is so stupid it's just about
making our security team implode. The Microsoft
security training I just went to was pathetic. SUS is
their answer to half the security problems..

The problem is that if you have a firewall or ANY NAT device between a
member server and the Domain Controller you need a tunnel.
Why would you want to put an Exchange server in the DMZ anyway it would be
much better to have it in the safe zone behind the firewall and NAT.