New DMZ design suggestions...

  • Thread starter Thread starter shawn
  • Start date Start date
S

shawn

All,

Currently our DMZ consists of systems that are part of a workgroup.

I'm looking at redesign of DMZ to an Active Directory (Windows 2K3) domain.
It would possibly consist of:

- 2 DCs (both might run DNS as well)
- IIS 6 webfarm (would provide both http and ftp services)
- Terminal Services Server box (remote administration to all DMZ boxes...may
or may not be in DMZ domain?)
- Possible FrontEnd XCHNG server?
- Possible FrontEnd SQL server?

Trusts would need setup and firewall locked down tightly to internal private
network.


Any suggestions if this is the "best" approach, balancing functionality,
administration and security concerns.

Thanks in advance.

Shawn
 
Consider usa ISA with reverse proxy, thereby you should be able to keep all
your servers internal and open up a minimal number of ports.

All connections from external sources can be terminated at the ISA server
and the ISA server then makes all internal connections, thereby preventing
any external connections to your servers other than from the ISA box. The
ISA box doesn't have to be a domain member so you aren't opening up any
additonal security holes. It is a nice secure solution.

The link below is on reverse proxy and the web site itself is probably the
best site available, maybe even better than Microsoft's.
http://www.isaserver.org/tutorials/...guration_Web_caching_and_Internet_access.html

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Paul,

Thanks for info...I will read up on this information to further educate
myself.

Shawn
------------
 
Hi

Adding to Paul's response if you're considering ISA solution, you migh want
to have an Back to Back ISA configuration Solution, Securing comunications
with DMZ -> Internal network, SSL, IPSec, etc.

The Front ISA server won't need to be member of the domain, but the Back End
can be, and give you a better control of internal users and DMZ
comunications.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
 
Jorge,

Thanks for information.

Shawn

Jorge Silva said:
Hi

Adding to Paul's response if you're considering ISA solution, you migh
want to have an Back to Back ISA configuration Solution, Securing
comunications with DMZ -> Internal network, SSL, IPSec, etc.

The Front ISA server won't need to be member of the domain, but the Back
End can be, and give you a better control of internal users and DMZ
comunications.


--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
Click to expand...
 
Back
Top