Re: Firewall & DMZ

From: Jad Hammoud (jhamoud@idealcommunications.net)
Date: 12/12/02

• Next message: Lior Szabo: "IIS & SQL Authentication Problem"
• Previous message: Gerald Abarca: "Unlock"
• In reply to: Alexis Arrowsmith: "Re: Firewall & DMZ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Jad Hammoud" <jhamoud@idealcommunications.net>
Date: Thu, 12 Dec 2002 10:49:14 +0200

The IIS server not knowing that the internal network exists is not entirely
true. Picture the scenario where you have a web server and a database
server. Normally you would leave your IIS servers in the DMZ and put your
database servers on an internal network (thats assuming that this is a
hosting infrastructure not a corporate LAN for example.). You would then
allow the DB machine to accept secured communications from the IIS machine.
So in short, the IIS in the DMZ should be connected to the internal network
(well for your purposes at least).

--
Jad Hammoud
ABEO (Ideal Communications)
Celtec Bldg., Unesco
P.O.Box 11-6876, Beirut, Lebanon
Tel : 961 1 816637 ext 3307
Fax : 961 1 319135
"Alexis Arrowsmith" <alexis@emj.ca> wrote in message
news:OB8Le5ToCHA.216@TK2MSFTNGP11...
> Thanks for the reply.  Sorry I couldn't frame the question better but I
> guess that shows up my confusion!
> What I just don't seem to get is how to get the IIS Server in the DMZ to
> initiate a connection into the internal network.  My understanding is that
> the DMZ IIS server essentially has no knowledge of the internal network,
and
> that only connections initiated from inside to outside are allowed
>
> My scenario is basically like you described.
> IIS receives XML post which represents a real time inventory request.
> I need to pass Request inside perform the query and return the result to
the
> original requestor .. but I don't understand how to get the info inside!!!
>
>
>
> "Jad Hammoud" <jhamoud@idealcommunications.net> wrote in message
> news:euQAAVPoCHA.1612@TK2MSFTNGP12...
> > Im not too sure I understand what you're trying to do, but first off
what
> > you're gonna need is something inside your network to receive the posts.
> As
> > a rough example what you could do would be to write the posts to a DB
from
> > your IIS machine and then have a trigger on the DB do some work. If
that's
> > what you were going to do, then the best way to secure the data transfer
> is
> > to require IPSec encryption between all machines in the DMZ and the
> internal
> > network. Regarding the firewall between the DMZ and your internal
network,
> > what ports you open will be dependant on how you choose to secure the
> data.
> > IPSec will require certain ports be opened, for more info on that read
up
> on
> > the Microsoft documentation for implementing IPSec.
> >
> > In terms of how the data gets transferred, you could also try to build a
> web
> > service using ASP.NET to do the work for you. This seems ideal for the
> > situation. Your IIS machine in the DMZ would receive the initial XML
post,
> > and send it to the web service on an application server inside your
> internal
> > network. This data can also be secured using IPSec.
> >
> > --
> > Jad Hammoud
> > ABEO (Ideal Communications)
> > Celtec Bldg., Unesco
> > P.O.Box 11-6876, Beirut, Lebanon
> > Tel : 961 1 816637 ext 3307
> > Fax : 961 1 319135
> > "Alexis Arrowsmith" <alexis@emj.ca> wrote in message
> > news:#QhInkKoCHA.2428@TK2MSFTNGP10...
> > > Hello,
> > >
> > > I am hoping for a little clarification on a few issues.  Specifically
I
> > have
> > > an IIS server in a DMZ accepting XML posts (sent via HTTP).  I need to
> be
> > > able to get the posts inside into our internal network, once inside I
> can
> > > open the posts and return the requested information.
> > >
> > > How do I get the file from the DMZ to the internal network in a secure
> > > manner?
> > > Do ports have to be open?
> > > Etc, etc,
> > >
> > > Basically I am just having a brain freeze understanding how to get the
> > data
> > > inside.
> > >
> > > Any suggestions would really help me out
> > >
> > > Thanks,
> > >
> > > Alexis
> > >
> > >
> >
> >
>
>

---

• Next message: Lior Szabo: "IIS & SQL Authentication Problem"
• Previous message: Gerald Abarca: "Unlock"
• In reply to: Alexis Arrowsmith: "Re: Firewall & DMZ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Firewall & DMZ ... What I just don't seem to get is how to get the IIS Server in the DMZ to ... initiate a connection into the internal network. ... > you're gonna need is something inside your network to receive the posts. ... (microsoft.public.inetserver.iis.security) Re: IIS/DC on DMZ? ... >I inherited configuration with IIS and DC (and Exchange Server) on the same ... Network firewall is 3COM with DMZ. ... >computers and DB server on internal network? ... (microsoft.public.inetserver.iis.security) Re: IIS/DC on DMZ? ... Having a DC and IIS box ... DMZ and use your firewall to NAT the connections and only ... >>computers and DB server on internal network? ... (microsoft.public.inetserver.iis.security) Re: Access DB through a DMZ ... >> I have an IIS server sat in a DMZ and I want it to be able to access an ... > LAN to the DMZ without allowing anything from the DMZ to the LAN, ... > Since you running IIS, why not create a page that lets you query the ... I can do it by sitting the DB on the IIS server in the DMZ as my LAN users ... (comp.security.firewalls) Re: IIS AD authentication on Perimeter server ... setup AD in DMZ with a one-way trust to the domain ... put IIS in your internal network. ... Use ISA Server in the DMZ to ... (microsoft.public.inetserver.iis.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)