I speak
Get off your high horse and come and have a drink with me in
Copenhagen next week, I'm paying, and if not, Steve Reilly is paying!
Apparently you put up DMZs that aren't behind a firewall.
I speak
Certainly not, ISA behind a perimiter firewall is an absolute must.
Ah yes, ISA and it's ability to publish internal servers "securely." Code
Red II went through ISA without bothering to pause and infected published
internal web servers. Had to install URLScan on ISA so it could, well,
securely publish...
I speak
Now, i'm not an ISA guru, ahh, you'd guessed. ISA 2004 does a combi of
isa 2000, FR1, URLSCAN and a whole lot more. I can't guarantee any
product will keep anything new out but what I can say is that ISA 2004
does not require the same amount of holes in the firewall that an FE
requires. I think the main point is that an FE in the DMZ makes the
DMZ into Swiss cheese instead of cheap Tesco cheddar.
If you have a firewall with URL scanning capabilities on the perimiter
then deploy it, ISA is a good 2nd line of defence, did I mention
defence in depth? in order to authenticate the user in the DMZ rather
than risk a DDOS or other attack on the inside and/or expose a domain
member in the DMZ.
2. He was talking about 2002 not 2000, neither of which talk to an FE,
especially one in a DMZ.
Sorting an infrastructure out to match competence and best practice is
the solution. Patching and messing about to make something work that
is both against best practice and a security risk is not the solution.
I am a great advocate of guiding people towards the right solution,
then, and only then, are any remaining problems properly resolvable.
1. Not having a front-end server in a DMZ when access from the Internet is
allowed is a good way to eventually commit career suicide. You should study
non-Microsoft security principles and practices.
2. His question was how to stop OL2K from connecting to the FE server, not a
reaffirmation that it shouldn't be happening.
On Wed, 10 Nov 2004 09:31:06 -0800, David McCue [MCSE]
I have 1 front-end server in the DMZ for OWA and 1 back-end server with
all
mailboxes.
When some internal ol2k2 users are creating or updating a meeting and
Outlook is checking the free/busy information, they get the "Requesting
data..." message. This message references the Netbios name of the
front-end
server which will fail due to firewall settings. I don't want the
Outlook
client to use this front-end server, how do I direct it to use only the
back-end server?
1. The Fe should not be in the DMZ, not ever, not no how.
2. The OL2K2 boxes shouldn't be talking to the FE for F/B info.