[fw-wiz] Is it possible at all ...?

Johann van Duyn johann.vanduyn@appleton.com
Tue, 26 Sep 2000 00:36:12 +0200


I don't see why you need to be able to browse the DMZ... machines on a DMZ
should be stand-alone servers, not NT domain members, and definitely not
domain controllers. You should setup comms between the DMZ and the inside
network in such a way that only the absolute, bare minimum of traffic is
allowed to pass between the two in order to enable your applications to
work. 

Browsing the DMZ, and (horror of horrors!) having an NT domain controller on
a DMZ, are NOT GOOD.

Yeah, I know... it makes managing the whole kaboodle a bit more of a
schlepp, but nobody (except the salesman) ever said that good security would
come easily.

:-)

-----Original Message-----
From: Chris [mailto:puetzc@yahoo.com]
Sent: 25 August 2000 23:21
To: firewall-wizards@nfr.net
Subject: [fw-wiz] Is it possible at all ...?


I have my firewall hooked up. So far things are going
not too bad. One problem I have is that I have all
machines in one Windows NT domain even if they are on
different IP networks. I'd like setup the DMZ and the
Inside as follows, so that the domain controllers can
exchange information, browsing works, NT user
authentication and all the typical NT Domain stuff
work. The firewall is a Cisco Pix.

Is that possible at all? I opened ports
135,137,138,139 between the DMZ and the Inside but I
do not get it to work?

Any help is appreciated!!

Chris

__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards@nfr.net
http://www.nfr.net/mailman/listinfo/firewall-wizards


***The Appleton Group Ltd*** 

This message, including any attachments, is intended only for the individual
or institution to which it is addressed and may contain information that is
privileged, confidential or prohibited from disclosure or unauthorized use.
If the recipient of this transmission is not the intended recipient, you are
hereby notified that any use, reproduction dissemination, copying,
disclosure, modification, distribution and/or publication of this email
message or any of its attachments other than by its intended recipient is
strictly prohibited by the sender. If you have received this message in
error, please notify The Appleton Group Ltd immediately at
postmaster@appleton.com and destroy the message and all copies thereof in
your possession. 

****************************