"Mike Michael" <(E-Mail Removed)> wrote in message
news:E62F137F-AD67-48E8-A3C2-(E-Mail Removed)...
> We have an IP on a Windows 2K3 server in our DMZ. We need to allow a type
> of
> automated process to access an internal server via a specific port. The
> network/security folks do not want to just NAT on the firewall, they want
> to
> NAT on the perimeter, then "proxy" the connection to the internal server.
> So,
> since I happen to have a Windows server in the DMZ which already accesses
> said internal server, my straw was drawn.
> External client > firewall > my windows box in DMZ > firewall > internal
> server
> And in this hypothetical/make believe scenario, the W2K3 server would
> accept
> the connection and redirect to the internal server (is that proxy or
> relay?).
1. They cannot choose to "not" NAT at the firewall,...it isn't a choice, it
is a requirement,...the firewall is "in the way", and the only way into the
LAN is via it.
2. You can't proxy without a Proxy. You do not have a proxy. The only real
"proxy-based" Firewall product on the market worth mentioning right now
(that would fit this situation) is MS ISA Server. It is designed to
*replace* one or both of those Firewalls, not sit on the middle of the DMZ
3. This is a Back-to-Back DMZ built between two Firewalls,..an Inner
Firewall and an Outer Firewall. These firewalls, particulrly if they are
Applicances, are just simply NAT Boxes. We can debate all day about what
features they have or don't have,...but they are just NAT Boxes.
So there is only one way to get inbound traffic from a user on the "outside"
to a resource on the "inside".
Step 1. The Outer Firewall does a Static NAT (aka Reverse NAT) back to
the Inner Firewall
Step 2. The Inner Firewall does a Static NAT (aka Reverse NAT) back to
the Resource on the "inside".
The Reverse NAT should only respond to traffic directed at the required
Initial Connection Port of the Application/Service being used. This is
almost always a single number. The random Client Source Ports do not have
to be accounted for on modern Firewalls that monitor the state of the
Session.
Adding anything in the center of the DMZ to pass the traffic through is
totally pointless, it doesn't accomplish anything and only over complicates
things and creates yet another way/place for the whole thing to fail.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------
Similar Threads
Linear Mode
