DMZ windows member server

If someone can point me in the right direction:

I have a web server on my lan (windows 2003 network - web server is a
windows 2003 member server). I want to move the server to my DMZ. My lan
uses private ip address with a scope of 192.168.1.0 - 255, my web server
currently has a statice NAT at my firewall with a public IP on the internet
translated to its private address on my lan. The web server has a number of
web applications (asp.net) that work with my SQL server which is on my lan.
Currently my sql server is hidden behind my firewalls ip address as are my
other servers and desktops etc. My firewall is a checkpoint firewall and
its rules allow http and https traffic to my webserver. (I use an internal
DNS on my lan).

I tried moving my webserver to my dmz - I changed the ip address to be in
the scope of my DMZ (192.168.2.0 - 255) Changed my internal DNS to reflect
the new IP Address. Changed my firewall rules to show that the new internal
ip address of my webserver was the new ipaddress, set two rules on my
firewall one allowing all traffic from my lan to my DMZ and the other
allowing all traffic from my webserver to my Lan (not the rules I would
leave in place but wanted to get this working first then close the doors).
I was able to open web pages from a desktop on my lan pulled from my
webserver, but no windows authentication seemed to be working ( when I went
to a sight that required authentication I would get an error message that
stated that no server was available for authentication (sorry I did not
right down the exact message and had to set everything back the way it was).
I do not have the luxury of a test environment to get this working before
applying to my working environment.

A couple things I am questioning, DNS can I use my internal DNS, ie can my
DMZ access my internal ip address on my lan the ip addresses are set up as
192.168.1.xxx 255.255.255.0 and on my DMZ 192.168.2.xxx 255.255.255.0 .
What do I need to allow a server in my dmz to authenticate web users against
my AD?

Thanks in advance for your assistance.

"Fredrick A. Zilz" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> If someone can point me in the right direction:
>
> I have a web server on my lan (windows 2003 network - web server is a
> windows 2003 member server). I want to move the server to my DMZ. My lan

Then you have to remove it from the Domain and make it a Stand-Alone Server.
It will be cut off from the LAN and the Domain. That is what DMZs do, and
that is what they are for.

The Firewall will have to "publish" the SQL Server for the Web Server's
benefit.

Forget authenticating users,...just forget it. Undo all the horible
(security wise) things you did with "forwarding" to make that work. It just
isn't going to happen. A RADIUS Server may be a solution, but I don't know
for sure. You are creating an awful lot of a mess when all you had to do
was leave the web server where is was on the LAN and just publish the web
site with the Firewall.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com