Gentleman as I sit on the change advisory board its been very enlightening reading these post. The DMZ in question is a perimeter DMZ and all servers within the DMZ are accessible from the outside for remote management when consultants and staff are off site. However I did hear some chatter regarding opening it up to GoGrid not sure why. Most of the options discussed including not extending the domain into the DMZ were shot down and brought sharp criticism by the Admin and manager. I will keep you posted as to the outcome
--- On Fri, 1/7/11, Ziots, Edward <[email protected]> wrote: From: Ziots, Edward <[email protected]> Subject: RE: AD and firewall ports To: "NT System Admin Issues" <[email protected]> Date: Friday, January 7, 2011, 4:26 PM Yeah it depends on how you want to design your network and how security conscious paranoid you want to be. DMZ can be inside, you are just separating areas of trust, or lack thereof in the below example. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Webster [mailto:[email protected]] Sent: Friday, January 07, 2011 4:21 PM To: NT System Admin Issues Subject: RE: AD and firewall ports I did some work for a member of the Global Fortune 15 where there network was: Internet -> FW -> perimeter servers -> FW -> DCs -> FW -> member servers -> FW -> PCs I couldn’t ping by NetBIOS name or FQDN DC1 sitting above DC2 in the same rack because DNS was in the perimeter network. And they wonder why they had name resolution issues! Webster From: Free, Bob [mailto:[email protected]] Subject: RE: AD and firewall ports Agreed, the old M&M paradigm is long gone. The other thing I find intriguing about this thread is that the proximity of the OP’s DMZ to the internet is unknown, let alone its intended purpose. The classic definition of a DMZ only standing between an internal network and the internet is no longer valid. I have DCs in DMZs on the main network, heck I have one environment where all the DCs in the forest are in DMZs, there are firewalls all over the place and the internet isn’t even part of the equation. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
