Title: Internet Security and Acceleration Server in the DMZ Steve Gombotz Support Professional Windows 2000
1Internet Security and Acceleration Server in the
DMZSteve Gombotz Support ProfessionalWindows
2000 NetworkingMicrosoft Corporation
2Overview
- What is a demilitarized zone (DMZ), or perimeter
network? - Different types of perimeter networks
- How to implement perimeter networks with
Microsoft ISA Server 2000 - Perimeter network examples
- Troubleshooting
- Questions
3What Is a DMZ?
- DMZs are also known as perimeter networks or
screened networks - A network region separate from the private
internal network, but access is still restricted
from the external world - Created to give un-trusted users access to
required data while minimizing the risk to the
internal network - Servers in the DMZ are considered expendable
they could be lost and should only host data that
is easily replaced
4Different Types of Perimeter Networks
- Three-homed or three-legged perimeter network
- Back-to-back perimeter network
5Three-Homed Perimeter NetworkRequirements
- Perimeter network interface and subnet must have
publicly routable IP addresses - External ISA interface and perimeter network
interface must be on separate subnets - Perimeter network IP addresses are considered
external and never in the LAT - Networks external to ISA must have a route to the
perimeter network with the external interface of
ISA as the gateway
6Perimeter Network with Three-Homed Firewall
7Three-Homed Perimeter NetworkAccess Control
- Access to the perimeter network is controlled by
static packet filters - Inbound packet filters allow external traffic in
and let the response back out - Outbound filters are needed if traffic is
originating on the perimeter network - Understanding the flow of traffic to and from the
perimeter network is all about perspective - Where is the traffic coming from?
- Where is the traffic going to?
8Three-Homed Perimeter Network
9Understanding Packet Filtering
Perimeter Network
192.168.2.200
192.168.2.1
192.168.1.1
10.0.0.1
ISA Server
Packet Filter
Internal Network
Protocol
Direction
Destination / Port
Source / Port
Type
TCP
Incoming
192.168.2.200 / 25
Any / Any
Allow
10Three-Homed Perimeter NetworkExample Inbound
SMTP
11Three-Homed Perimeter Network (2)Example
Inbound SMTP
12Three-Homed Perimeter Network (3)Example
Inbound SMTP
13Three-Homed Perimeter NetworkExample Outbound
SMTP
14Three-Homed Perimeter Network (2)Example
Outbound SMTP
15Three-Homed Perimeter Network (3)Example
Outbound SMTP
16Three-Homed Perimeter Network (4)Example
Outbound SMTP
17Three-Homed Perimeter NetworkTroubleshooting
- Use Telnet to verify that communication can be
established to a certain port - Ping should not be used as a testing tool because
ICMP traffic will not be routed through to the
perimeter network
18Back-to-Back Perimeter NetworkRequirements
- Two firewalls (ISA Servers) required
- Only the external interface of the external ISA
Server contain routable IP addresses - The LAT of the external ISA Server contains all
IP addresses from the perimeter network including
the external IP address of the internal ISA
Server - The LAT of the internal ISA Server contains only
the address of the internal network
19Back-to-Back Perimeter NetworkAccess Control
- Web or server publishing is used to allow
external traffic to access servers in the
perimeter network - Web or server publishing is also used to allow
perimeter network servers to access servers on
the internal network - Protocol rules are used to allow outbound traffic
from either the internal or perimeter network
20Perimeter Network with Back-to-Back Firewalls
21Perimeter Network with Back-to-Back Firewalls (2)
22Back-to-Back Perimeter NetworkExample
- An IIS Server in the perimeter network that needs
to access a SQL database on the internal network - Configure a Web publishing rule on the external
ISA Server to allow traffic to the IIS Server - Configure a server publishing rule on the
internal ISA Server to allow traffic from the IIS
Server to reach the Microsoft SQL Server
23Back-to-Back Perimeter NetworkTroubleshooting
- Telnet is still good to use to determine if the
ISA Servers are listening on the correct ports - Follow the troubleshooting steps of publishing in
a normal, single ISA Server environment
24- Thank you for joining us for todays Microsoft
Support - WebCast.
- For information about all upcoming Support
WebCasts - and access to the archived content (streaming
media - files, PowerPoint slides, and transcripts),
please visit - http//support.microsoft.com/webcasts/
- We sincerely appreciate your feedback. Please
send any - comments or suggestions regarding the Support
- WebCasts to feedback_at_microsoft.com and include
- Support WebCasts in the subject line.