>What we have is a mail server in the DMZ using AD on that. We have 300 >agents but all come in through the Internet. We have only a few on the >internal network. So we use NT Auth from the web for everything. We have >a lot of agent websites and things and it all works great and WE PASSED >a security audit by NASA (we do all travel for them) which I was not to >sure how it would go down with the AD in the DMZ. As far as putting AD >inside of the firewall I have been thinking about doing the same thing.
the more you can put deeper inside, the better (aka motherhood). >This is what I am currently thinking of. >1. Mail relay in DMZ easy for the SMTP traffic, a little less so for the mailbox access via POP. Unless your agents use only web mail, then an HTTP proxy in the DMZ to Imail inside. >2. Conduit to Mail Server on inside which is on same net as DC so it >should be able to auth (catch does AD have to be on same system as Imail >...still trying to work that out) again, just SMTP traffic, easy. >3. Web server in DMZ with conduit from sever internal IP to SQL on >internal network. May be two NIC? one nic should do it. Only one chokepoint from DMZ to inside. >Even though we passed the sec audit I DO NOT like my users stuff in the >DMZ but I inherited the thing so now I got to make it work until I can >change it. Keep in touch let me know how it goes. if it ain't broke.... but hardening is a never-ending story... Len www.menandmice.com/DNS-training : DNS Training BIND8NT.MEIway.com : ISC BIND for NT4 & W2K IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
