|
Posted by Marlon Brown on September 19, 2005, 5:16 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Imagine I have an IT guru in my organization and (political forces behind
him) that don't let me put ANY front-end server in the internal network.
I mean, I have Exchange 2003 OWA and Sharepoint servers that, to this date,
have been published via ISA 2004 and in my view that was provided adequate
security. Now imagine that I must put all servers that reside in the
"internal" network in the "DMZ".
Do you think it makes sense if I setup a "Domain-DMZ" and put all such
front-end servers there and allow a one-way trust relantioship where my
existing "domain-dmz" trusts the "corporate domain" ?
Then I would put the Sharepoint Servers (front-end) and Exchange (front-end)
and such DMZ-DOMAIN ?
Do you really believe this would be a good security implementation for a mid
size organization ? (5,000 AD accounts).
|
|
Posted by Keith I on September 19, 2005, 8:04 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Marlon,
What is the purpose of the network segmentation? Would the Front-End
Exchange and Share Point Services (SPS) now exposed directly to the
Internet? If so, you are negating the value of ISA 2004. ISA 2004 has the
hardened External interface, the other server roles do not by default. Do
you trust ISA, if not dump it and use another device for your network
segmentation control. However, I believe ISA 2004 provides a hardened
service for Exchange and SPS. That is the objective of using ISA.
Second, would that DMZ-Domain be trusted by the corporate domain for
authentication? If you are trusting, what should be non-trusted, then you
are again devising a less secure solution than existed prior. The domain is
not the not the Windows 200x security boundy, the forest is the boundry.
So, you'd have to create a new forest with a minimum of two domain
controllers for redundancy.
The other solution might be the DMZ-Domain trusting the corporate domain for
management. While this makes it easier to manage this domain, and is
recommended by some persons for systems of 25 or greater in DMZ, it seems
like this is not your case.
This IT guru is imposing solutions that are just bad ideas, based on ideas
5-10 years ago. Your solution seems right on track. I like Microsoft's
solution provided at
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/workgroup_ee.mspx
the best.
|
| Similar Threads | Posted | | AOL Servers Probing ??? | July 30, 2005, 12:16 pm |
| DNS appliances vs servers | March 21, 2006, 5:20 pm |
| Monitoring Servers | July 7, 2006, 12:36 pm |
| "Reverse" proxy available. Any need to put web servers in DMZ ? | June 16, 2005, 2:43 pm |
| Learning about Certificate servers | January 19, 2006, 4:47 pm |
| Are all VPN Clients compatible to all VPN servers ? | May 4, 2006, 3:27 pm |
| How to setup SSL LDAP between servers? | July 12, 2006, 1:38 pm |
| How to inform I have (2) CA servers for redundancy | January 23, 2007, 11:35 am |
| block Proxy servers | April 27, 2007, 9:48 am |
| Re: Running IIS and Massager on Windows Servers | June 16, 2005, 3:28 pm |
|
XML site map