DMZ Advice

Hi all,

I am in the process of redesigning certain parts of my network. As I
want to impliment a L2TP VPN on Windows Server 2003 and have a protected
IIS site (on a seperate server to the VPN) available from the the
internet, I am looking at implimenting a DMZ.

As I understand it, I need to have a system a little design like the
following, with the only route through the DMZ into the internal network
being through the VPN server with two network cards:

Internet
|
Firewall
| |
| VPN + IIS (DMZ)
| |
Internal network

the problem I am facing is how best to configure the VPN server in the
DMZ; I am at the situation where clients connecting are given an IP
address on the internal network (thus not really being part of the DMZ
at all).
Are there any tutorials on how this type of configuration should be
achieved? Or am I missing something here?

Thanks,

Malc

malc <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> Hi all,
>
> I am in the process of redesigning certain parts of my network. As I
> want to impliment a L2TP VPN on Windows Server 2003 and have a
> protected IIS site (on a seperate server to the VPN) available from
> the the internet, I am looking at implimenting a DMZ.
>
> As I understand it, I need to have a system a little design like
> the
> following, with the only route through the DMZ into the internal
> network being through the VPN server with two network cards:
>
> Internet
> |
> Firewall
> | |
> | VPN + IIS (DMZ)
> | |
> Internal network
>
> the problem I am facing is how best to configure the VPN server in the
> DMZ; I am at the situation where clients connecting are given an IP
> address on the internal network (thus not really being part of the DMZ
> at all).
> Are there any tutorials on how this type of configuration should
> be
> achieved? Or am I missing something here?
>
> Thanks,
>
> Malc
>

Hi Malc --

I'm not sure what you are trying to accomplish -- do you want remote
clients to be able to connect to the internal network, the IIS server, or
both?

If the answer is both, you might consider moving the IIS server onto the
internal network. Then clients can connect to the LAN via the VPN server
and access the intranet resource (the IIS server). If you do this, the IIS
server is also in a more secure position.

If that isn't what you are trying to accomplish, please explain further and
I will be happy to help.


--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

James McIllece [MS] wrote:
> malc <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
>
>>Hi all,
>>
>>I am in the process of redesigning certain parts of my network. As I
>>want to impliment a L2TP VPN on Windows Server 2003 and have a
>>protected IIS site (on a seperate server to the VPN) available from
>>the the internet, I am looking at implimenting a DMZ.
>>
>> As I understand it, I need to have a system a little design like
>> the
>>following, with the only route through the DMZ into the internal
>>network being through the VPN server with two network cards:
>>
>> Internet
>> |
>> Firewall
>> | |
>> | VPN + IIS (DMZ)
>> | |
>> Internal network
>>
>>the problem I am facing is how best to configure the VPN server in the
>>DMZ; I am at the situation where clients connecting are given an IP
>>address on the internal network (thus not really being part of the DMZ
>>at all).
>> Are there any tutorials on how this type of configuration should
>> be
>>achieved? Or am I missing something here?
>>
>>Thanks,
>>
>>Malc
>>
>
>
> Hi Malc --
>
> I'm not sure what you are trying to accomplish -- do you want remote
> clients to be able to connect to the internal network, the IIS server, or
> both?
>
> If the answer is both, you might consider moving the IIS server onto the
> internal network. Then clients can connect to the LAN via the VPN server
> and access the intranet resource (the IIS server). If you do this, the IIS
> server is also in a more secure position.
>
> If that isn't what you are trying to accomplish, please explain further and
> I will be happy to help.
>
>

James,

thanks for the reply.
I am looking to have two groups of clients, one that will have access
to the internal network and one that will have access to the IIS server
in the DMZ.

For this to work, I believe that all of the clients will need to be
given an IP address in the DMZ, and the ones that need access to the
internal network use the VPN server as a gateway.

So far, all of my attempts have failed - either the clients have an IP
address in the DMZ and are able to access the IIS server but nothing
else, or they have an IP address on the internal network bypassing the
DMZ entirey.

thanks again,

Malc