Announcement

Collapse
No announcement yet.

Windows 2003 Server in a DMZ

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows 2003 Server in a DMZ

    hi there

    I have setup a Windows 2003 server, hosting IIS web sites that is currently outside our firewall in a DMZ. Whilst this is working ok, I have been requested to make the DMZ server part of the internal domain. We connect to an Extranet before connecting to the Internet, and all the clients to the web server can only be from our Extranet. I have read several articles on the MS site and I am just looking for some further advice... The current configuration is as follows

    Internal Lan
    |
    PIX ----- DMZ Server Windows 2003
    |
    Extranet
    |
    Internet

    I was planning on moving the server back to the domain, re-joining the domain and then putting the server back on the DMZ. I have open all ports out of the Internal Lan to the DMZ. I have also opened GC, LDAP, DNS, Kerberos back from the DMZ to the Internal lan.

    Questions:
    1) Do I need to open RPC on the firewall?
    2) Are there any other ports missing?
    3) Is there anything I have missed?

    thanks in advance

    JP
    Last edited by jptempleuk; 30th November 2005, 17:20. Reason: Change Diagram

  • #2
    Re: Windows 2003 Server in a DMZ

    The real answer is to find out another methood. There no logic to add DMZ computer to the LAN/Domain. If someone will hack it the network will be open...

    Regards,

    Yuval
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment


    • #3
      Re: Windows 2003 Server in a DMZ

      As my friend yuval has already mentioned, placing a domain server in a DMZ enviorment is certainly not recommanded for security purposes.

      but if you indeed decide to do so for your own reasons, in order to not "make your firewall a waterhole", i recommand using IPSec communcations between the DMZ server and the internal servers which it needs to communicate with.
      this will allow you to minimize you open ports and destinations for DMZ traffic.

      if you need any help configuring IPSec, you can find more information here:
      http://www.microsoft.com/windowsserv...c/default.mspx
      Yaniv Feldman
      Microsoft Security Regional Director
      Microsoft Management Expert
      MCSA, MCSE, MCT

      Comment


      • #4
        Re: Windows 2003 Server in a DMZ

        Thanks for your replies.

        I have started downloading some of the IPSEC documents this morning.

        cheers
        JP

        Comment

        Working...
        X