|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
DMZ and DomainsI have a web server (2K3) sitting inside the DMZ which accesses data inside
the domain via the firewall. All the data, including the web site, resides on the data server and is an in-house application. The executables runs on the web server and fetches the data the customer requests. We have two NICs in the server; one is allowed only ports 80 and 443 traffic for public access. The other is restricted by to four ports for access to the data server only. We want to cluster two web servers but found out that to do so means they must belong to a domain. We need the web site to reflect our domain so this means we must add the web servers to the inside domain. This appears to me to circumvent the whole idea behind a DMZ. Is there a way to secure the web servers so that they can be on the domain and still be in the DMZ? If the web server is compromised we don’t want them to have access inside. > must belong to a domain. We need the web site to reflect our domain so I do not follow what is intended meaning of this "reflect" our domain.> this > means we must add the web servers to the inside domain. If the one web server is able to accomplish everything needed now as a stand-alone, then what is the issue requiring this "reflect"? Two servers can be a pair of DCs in a domain and no one in the world other than the admin, no machine in the world other than those two, have any need to know the private domain name, its dns, etc. and yet those two machines may answer to the outside by whatever DNS records are registered in the world's DNS, and those two machines do not even need to know what external DNS names were used. Show quoteHide quote "Tewhano" <Tewh***@discussions.microsoft.com> wrote in message news:5D34B01D-CEAF-4FC2-A155-A51B821A9598@microsoft.com... >I have a web server (2K3) sitting inside the DMZ which accesses data inside > the domain via the firewall. All the data, including the web site, resides > on > the data server and is an in-house application. The executables runs on > the > web server and fetches the data the customer requests. We have two NICs in > the server; one is allowed only ports 80 and 443 traffic for public > access. > The other is restricted by to four ports for access to the data server > only. > > We want to cluster two web servers but found out that to do so means they > must belong to a domain. We need the web site to reflect our domain so > this > means we must add the web servers to the inside domain. This appears to me > to > circumvent the whole idea behind a DMZ. Is there a way to secure the web > servers so that they can be on the domain and still be in the DMZ? If the > web > server is compromised we don't want them to have access inside. > I think I see what you are saying. So my domain is known outside by
mydomain.com and I put these two web servers in the DMZ and join them to a domain called webdomain.com I can still have people hit the site as securesite.mydomain.com? Yes.
The only machines that need to know of and use the DNS zone that supports the AD are the machines in the forest of the domain (or, optionally if W2k3 forestlevel Kerberos trusts are used with external forest, those also). IOW for a single domain forest in the DMZ that has no external trusts only those DMZ machines need to know the private DNS zone used by that AD. Any interface on any machine could still expose tcp 80/443 and it would not matter what external DNS names map to the IPs on those interfaces, and those external names could be used in host header IIS website differentiation if desired, but otherwise those external names would not need to be configured or used anywhere in the machines. Show quoteHide quote "Tewhano" <Tewh***@discussions.microsoft.com> wrote in message news:80B77C3E-FC5B-499D-8BE4-49CAD53E7885@microsoft.com... > > I think I see what you are saying. So my domain is known outside by > mydomain.com and I put these two web servers in the DMZ and join them to a > domain called webdomain.com I can still have people hit the site as > securesite.mydomain.com? 
Other interesting topics
Moved to new server, I_USR not showing
IISADMPWD Vulerabilities Cross Site Scripting - Newbie Question IIS Manager on remote computer Making ASPNET a Member of Administrator Group?? Local Server Logon Required? IIS Manager Closes Unexpectedly Delegation and IIS service account administer IIS but not local Admin Understanding W3SVC1 logs |
|||||||||||||||||||||||
