"bits on glass" <news@evanetllc.com> wrote in message
news:bznDc.6187$4i6.2756@newssvr25.news.prodigy.com...
>I have a Windows SBS 2003 behind a PIX firewall with several clients behind
> the SBS. I want to place a Windows 2003 server in the DMZ to host a couple
> of external sites. I have enough static IPs to support the site. I am
> searching for a good resource to answer several questions related to
> managing the server in the DMZ:
>
> 1. Should the server in the DMZ be a stand alone server with no connection
> to the backend network, or should it be member server and dual NIC'd, one
> to
> the DMZ LAN and one on the backend network behind the SBS? I believe
> making
> it a stand-alone is the preffered design, but not sure how to control
> access.
>
> 2. How do I allow a remote user access to manage their site which I would
> like to build for them.
>
> I know it might be best to have a hosted service provided by others, but I
> happen to have the Windows 2003 server software, I have the server and I
> have the interest to find out the correct way to run an external website
> in
> a Windows SBS 2003 environment.
>
> What I am seeking answers to is what is best practice for security and
> protection of my internal SBS network, where an external site is required,
> and where the site will host content from customers who are not users
> within
> the SBS domain but need acces to their site for placing content, mananging
> that content, etc. If I make it a stand alone in the DMZ, how do I manage
> it
> as well for normal routing system administration tasks?
>
> Thanks!
>
>

"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:elxiVPGXEHA.3420@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> having two cards in server, one lading to the internet through the
firewall
> and one bypassing it into the LAN really destroys the point of having
> firewall in first place. If someone is able to hack your server in DMZ he
> has free access to LAN so there is no point in having DMZ. Servers and
> computers in DMZ should not have any direct access to LAN in any way
(either
> by bypassing a firewall or by rules on the firewall)...
>
> Since there should be no communication between DMZ and LAN (in direction
DMZ
> to LAN) servers in DMZ should be standalone servers. If you have them in
> domain, your firewall will have more holes in it then cheese.
>
> Regarding remote administration, you could allow e.g. Terminal Service
> Access only from LAN to DMZ and Administrators of the web site content
could
> use Front Page for administration...
>
> I hope this helps you out at least a bit,
>
> Mike
>
> "bits on glass" <news@evanetllc.com> wrote in message
> news:bznDc.6187$4i6.2756@newssvr25.news.prodigy.com...
> >I have a Windows SBS 2003 behind a PIX firewall with several clients
behind
> > the SBS. I want to place a Windows 2003 server in the DMZ to host a
couple
> > of external sites. I have enough static IPs to support the site. I am
> > searching for a good resource to answer several questions related to
> > managing the server in the DMZ:
> >
> > 1. Should the server in the DMZ be a stand alone server with no
connection
> > to the backend network, or should it be member server and dual NIC'd,
one
> > to
> > the DMZ LAN and one on the backend network behind the SBS? I believe
> > making
> > it a stand-alone is the preffered design, but not sure how to control
> > access.
> >
> > 2. How do I allow a remote user access to manage their site which I
would
> > like to build for them.
> >
> > I know it might be best to have a hosted service provided by others, but
I
> > happen to have the Windows 2003 server software, I have the server and I
> > have the interest to find out the correct way to run an external website
> > in
> > a Windows SBS 2003 environment.
> >
> > What I am seeking answers to is what is best practice for security and
> > protection of my internal SBS network, where an external site is
required,
> > and where the site will host content from customers who are not users
> > within
> > the SBS domain but need acces to their site for placing content,
mananging
> > that content, etc. If I make it a stand alone in the DMZ, how do I
manage
> > it
> > as well for normal routing system administration tasks?
> >
> > Thanks!
> >
> >
>
>

wrote:

>I have a Windows SBS 2003 behind a PIX firewall with several clients behind
>the SBS. I want to place a Windows 2003 server in the DMZ to host a couple
>of external sites. I have enough static IPs to support the site. I am
>searching for a good resource to answer several questions related to
>managing the server in the DMZ:
>
>1. Should the server in the DMZ be a stand alone server with no connection
>to the backend network, or should it be member server and dual NIC'd, one to
>the DMZ LAN and one on the backend network behind the SBS? I believe making
>it a stand-alone is the preffered design, but not sure how to control
>access.

>2. How do I allow a remote user access to manage their site which I would
>like to build for them.

>I know it might be best to have a hosted service provided by others, but I
>happen to have the Windows 2003 server software, I have the server and I
>have the interest to find out the correct way to run an external website in
>a Windows SBS 2003 environment.

>What I am seeking answers to is what is best practice for security and
>protection of my internal SBS network, where an external site is required,
>and where the site will host content from customers who are not users within
>the SBS domain but need acces to their site for placing content, mananging
>that content, etc. If I make it a stand alone in the DMZ, how do I manage it
>as well for normal routing system administration tasks?

"bits on glass" <news@evanetllc.com> wrote in message
news:XGEDc.6588$l15.1829@newssvr25.news.prodigy.com...
> Mike,
>
> Thanks for confirming what I identified in my post where I indicated I
> thought making it a stand alone would be the preffered design where
> security
> is the focus. I just wanted to throw the question out there in the event
> there was some cool way to manage security at the server level in a dual
> NIC'd Windows server design allowing for easier administration.
>
> While I do my best to stay current with the Windows server environment is
> a
> bit new to me and I accept that there are many things I do not know so I
> better ask! :-)
>
> ~ bits
>
>
>
>
> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> news:elxiVPGXEHA.3420@TK2MSFTNGP12.phx.gbl...
>> Hi,
>>
>> having two cards in server, one lading to the internet through the
> firewall
>> and one bypassing it into the LAN really destroys the point of having
>> firewall in first place. If someone is able to hack your server in DMZ he
>> has free access to LAN so there is no point in having DMZ. Servers and
>> computers in DMZ should not have any direct access to LAN in any way
> (either
>> by bypassing a firewall or by rules on the firewall)...
>>
>> Since there should be no communication between DMZ and LAN (in direction
> DMZ
>> to LAN) servers in DMZ should be standalone servers. If you have them in
>> domain, your firewall will have more holes in it then cheese.
>>
>> Regarding remote administration, you could allow e.g. Terminal Service
>> Access only from LAN to DMZ and Administrators of the web site content
> could
>> use Front Page for administration...
>>
>> I hope this helps you out at least a bit,
>>
>> Mike
>>
>> "bits on glass" <news@evanetllc.com> wrote in message
>> news:bznDc.6187$4i6.2756@newssvr25.news.prodigy.com...
>> >I have a Windows SBS 2003 behind a PIX firewall with several clients
> behind
>> > the SBS. I want to place a Windows 2003 server in the DMZ to host a
> couple
>> > of external sites. I have enough static IPs to support the site. I am
>> > searching for a good resource to answer several questions related to
>> > managing the server in the DMZ:
>> >
>> > 1. Should the server in the DMZ be a stand alone server with no
> connection
>> > to the backend network, or should it be member server and dual NIC'd,
> one
>> > to
>> > the DMZ LAN and one on the backend network behind the SBS? I believe
>> > making
>> > it a stand-alone is the preffered design, but not sure how to control
>> > access.
>> >
>> > 2. How do I allow a remote user access to manage their site which I
> would
>> > like to build for them.
>> >
>> > I know it might be best to have a hosted service provided by others,
>> > but
> I
>> > happen to have the Windows 2003 server software, I have the server and
>> > I
>> > have the interest to find out the correct way to run an external
>> > website
>> > in
>> > a Windows SBS 2003 environment.
>> >
>> > What I am seeking answers to is what is best practice for security and
>> > protection of my internal SBS network, where an external site is
> required,
>> > and where the site will host content from customers who are not users
>> > within
>> > the SBS domain but need acces to their site for placing content,
> mananging
>> > that content, etc. If I make it a stand alone in the DMZ, how do I
> manage
>> > it
>> > as well for normal routing system administration tasks?
>> >
>> > Thanks!
>> >
>> >
>>
>>
>
>

"bits on glass" <news@evanetllc.com> wrote in message
news:bznDc.6187$4i6.2756@newssvr25.news.prodigy.com...
> I have a Windows SBS 2003 behind a PIX firewall with several clients
behind
> the SBS. I want to place a Windows 2003 server in the DMZ to host a couple
> of external sites. I have enough static IPs to support the site. I am
> searching for a good resource to answer several questions related to
> managing the server in the DMZ:

> What I am seeking answers to is what is best practice for security and
> protection of my internal SBS network, where an external site is required,
> and where the site will host content from customers who are not users
within
> the SBS domain but need acces to their site for placing content, mananging
> that content, etc. If I make it a stand alone in the DMZ, how do I manage
it
> as well for normal routing system administration tasks?
>
> Thanks!
>
>