New DMZ design suggestions...

S

shawn

All,

Currently our DMZ consists of systems that are part of a workgroup.

I'm looking at redesign of DMZ to an Active Directory (Windows 2K3) domain.
It would possibly consist of:

- 2 DCs (both might run DNS as well)
- IIS 6 webfarm (would provide both http and ftp services)
- Terminal Services Server box (remote administration to all DMZ boxes...may
or may not be in DMZ domain?)
- Possible FrontEnd XCHNG server?
- Possible FrontEnd SQL server?

Trusts would need setup and firewall locked down tightly to internal private
network.


Any suggestions if this is the "best" approach, balancing functionality,
administration and security concerns.

Thanks in advance.

Shawn
 
P

Paul Bergson

Consider usa ISA with reverse proxy, thereby you should be able to keep all
your servers internal and open up a minimal number of ports.

All connections from external sources can be terminated at the ISA server
and the ISA server then makes all internal connections, thereby preventing
any external connections to your servers other than from the ISA box. The
ISA box doesn't have to be a domain member so you aren't opening up any
additonal security holes. It is a nice secure solution.

The link below is on reverse proxy and the web site itself is probably the
best site available, maybe even better than Microsoft's.
http://www.isaserver.org/tutorials/...guration_Web_caching_and_Internet_access.html

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.
 
S

shawn

Paul,

Thanks for info...I will read up on this information to further educate
myself.

Shawn
------------
 
J

Jorge Silva

Hi

Adding to Paul's response if you're considering ISA solution, you migh want
to have an Back to Back ISA configuration Solution, Securing comunications
with DMZ -> Internal network, SSL, IPSec, etc.

The Front ISA server won't need to be member of the domain, but the Back End
can be, and give you a better control of internal users and DMZ
comunications.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
 
S

shawn

Jorge,

Thanks for information.

Shawn

Jorge Silva said:
Hi

Adding to Paul's response if you're considering ISA solution, you migh
want to have an Back to Back ISA configuration Solution, Securing
comunications with DMZ -> Internal network, SSL, IPSec, etc.

The Front ISA server won't need to be member of the domain, but the Back
End can be, and give you a better control of internal users and DMZ
comunications.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Help with initial small org AD setup convention when using DMZ network 1
OU design 7
New DNS Setup 1
Terminal Services Remote Control 4
NT 4 Domain upgrade to Win2000 AD with BIND DNS 3
Active Directory design help. 4
Migration Question 2
(another) DC replication problem 8

Top