IP Relay/NAT set up on W2K3

1. I am a newbie (to this).
2. I am not well versed in Windows
3. Be nice

OK, that out of the way, this is in a nutshell I am trying to do. I think it
is possible, or at least it seems so.

We have an IP on a Windows 2K3 server in our DMZ. We need to allow a type of
automated process to access an internal server via a specific port. The
network/security folks do not want to just NAT on the firewall, they want to
NAT on the perimeter, then "proxy" the connection to the internal server. So,
since I happen to have a Windows server in the DMZ which already accesses
said internal server, my straw was drawn.

So, like this...

External client > firewall > my windows box in DMZ > firewall > internal
server
And in this hypothetical/make believe scenario, the W2K3 server would accept
the connection and redirect to the internal server (is that proxy or relay?).

In my reading, I thought the Remote and Routing Access would be my solver
bullet, but darned if I can figure how to do it...and almost all
documentation is centered around using it for internet access.

Thanks in advance for any suggestions.


Mike Michael

"Mike Michael" <(E-Mail Removed)> wrote in message
news:E62F137F-AD67-48E8-A3C2-(E-Mail Removed)...
> We have an IP on a Windows 2K3 server in our DMZ. We need to allow a type
> of
> automated process to access an internal server via a specific port. The
> network/security folks do not want to just NAT on the firewall, they want
> to
> NAT on the perimeter, then "proxy" the connection to the internal server.
> So,
> since I happen to have a Windows server in the DMZ which already accesses
> said internal server, my straw was drawn.
> External client > firewall > my windows box in DMZ > firewall > internal
> server
> And in this hypothetical/make believe scenario, the W2K3 server would
> accept
> the connection and redirect to the internal server (is that proxy or
> relay?).

1. They cannot choose to "not" NAT at the firewall,...it isn't a choice, it
is a requirement,...the firewall is "in the way", and the only way into the
LAN is via it.

2. You can't proxy without a Proxy. You do not have a proxy. The only real
"proxy-based" Firewall product on the market worth mentioning right now
(that would fit this situation) is MS ISA Server. It is designed to
*replace* one or both of those Firewalls, not sit on the middle of the DMZ

3. This is a Back-to-Back DMZ built between two Firewalls,..an Inner
Firewall and an Outer Firewall. These firewalls, particulrly if they are
Applicances, are just simply NAT Boxes. We can debate all day about what
features they have or don't have,...but they are just NAT Boxes.

So there is only one way to get inbound traffic from a user on the "outside"
to a resource on the "inside".
Step 1. The Outer Firewall does a Static NAT (aka Reverse NAT) back to
the Inner Firewall
Step 2. The Inner Firewall does a Static NAT (aka Reverse NAT) back to
the Resource on the "inside".

The Reverse NAT should only respond to traffic directed at the required
Initial Connection Port of the Application/Service being used. This is
almost always a single number. The random Client Source Ports do not have
to be accounted for on modern Firewalls that monitor the state of the
Session.

Adding anything in the center of the DMZ to pass the traffic through is
totally pointless, it doesn't accomplish anything and only over complicates
things and creates yet another way/place for the whole thing to fail.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

Thank you Phillip. I completely understand the pointless nature of this, and
that it is at best just a point of failure. As you have probably come into at
times, I am merely just trying to do what is being requested by management. I
was at a complete loss of this request, as you can tell by my post. To even
add more, we actually have static IP's that are connecting, so the firewall
can be locked down to just them.

I am glad to see the only viable forced choice is the MS ISA, which we don
not have, and cost money. This is usually the only way to win a battle.


Thanks again.

"Mike Michael" <(E-Mail Removed)> wrote in message
news:F89F1562-663E-41BA-8BF6-(E-Mail Removed)...
> Thank you Phillip. I completely understand the pointless nature of this,
> and
> that it is at best just a point of failure. As you have probably come into
> at
> times, I am merely just trying to do what is being requested by
> management. I
> was at a complete loss of this request, as you can tell by my post.

I understand. In these situations I usually argue with them (within
reason), and I usualy win. It sounds like the "Network/Security folks"
don't understand networking or security,...or are just being lazy. This
involves networking with firewalls, that makes it directly the jobs of the
"Network/Security folks". It is their job to make it happen properly,
dependably, and securely. If they won't do their job,..you can't do yours.
Bring that to management. You can even tell them I sent ya',...but I doubt
that'd help :-)

> I am glad to see the only viable forced choice is the MS ISA, which we don
> not have, and cost money. This is usually the only way to win a battle.

All I said was that ISA was the only proxy worth mentioning in this context.
I also said that ISA is designed to *replace* one or both of those
Firewalls, not sit on the middle of the DMZ. It is not the solution for
what you are asking about. You are asking about performing a bad
design,...I'm saying you should straighten out the people who are trying to
make you "do it wrong".

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------