> -----Original Message-----
> From: Cl�ment Charest [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 11, 2001 4:11 AM
> To: '[EMAIL PROTECTED]'
> Subject: Connecting MS-Proxy (with DNS) behind a linux Firewall
>
>
> HI All,
>
> We have a linux Firewall in front of a Exchange Server (Win2k
> Server) (which
> is also the WebFTP server - with IIS) which work fine!
Oh dear.
> We have a DNS Server which act also as a Proxy server
> (MS-Proxy v2.0 on
> WindowsNT 4.0) with address forwarding (for Web and FTP) to our
> Exchange/Web/FTP serveur.
I don't know what you mean by this "address forwarding" on the proxy / DNS
server.
[...]
> We can access our web site by typing the normal IP address
> but not when
> typing the URL.
This almost always points to a DNS issue.
> Our internal network use 192.168.x.x, subnet 255.255.0.0.
> Our (more or less) "DMZ" uses 192.168.3.x, subnet
> 255.255.255.0.[...]
> Should we use a different address for our DMZ,
Yes.
> such as 192.1.0.x, with
> subnet 255.255.255.0 (instead of 192.168.3.x)?
No.
Try another RFC 1918 address (eg 10.1.1.0/24). BBN might get upset if you
use 192.1.x.x
> Does it matter?
I think so.
> Will it make a difference?
Possibly not, but it's much neater. There is a potential issue when Internal
clients try and get to DMZ hosts by IP address - they will ARP for them
locally. Whether they get a reply (via proxy-arp) from one of the Windows
boxes is another question. In any case, it's ugly.
> Do we have to modify our internal DNS[...]
I think you'll have problems with using one DNS server for internal and
external DNS. There is no way that I know of to do split-brain DNS (IE give
different replies about the same zone to different people) on a single NT
box.
Try getting your ISP to host your external DNS, or put djbdns on your Linux
box as your external DNS server.
> Is there a problem to put a DNS behind a firewall with NAT,
> port and address
> forwarding or is it impossible?
It's possible.
> Thankx
> Clement
> -------------------------------------------------------
> Clement Charest
> -------------------------------------------------------
[ASCII art snipped]
Good luck. Personally I think you're doomed (running IIS on Win2K and
Exchange as your DMZ services).
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
