+ Post New Thread
Results 1 to 4 of 4
How do you do....it? Thread, Locally hosted external presence - best practices in Technical; Hi Gang, I have some questions in general about the locally hosted external presence i have implemented and use . ...
  1. #1
    amfony's Avatar
    Join Date
    Jul 2007
    Location
    Sydney
    Posts
    161
    Thank Post
    29
    Thanked 13 Times in 13 Posts
    Rep Power
    17

    Locally hosted external presence - best practices

    Hi Gang,

    I have some questions in general about the locally hosted external presence i have implemented and use.

    we host our schools external services locally on a fairly nice 5mb symmetrical link which provides us with about 4 usable public IPs. At present our external services all run off the one IP i have set as the red side of our external firewall, and ofcourse our A, MX and CNAME records all point (or end up pointing to) that 1 ip address.

    So - www.school.com; mail.school.com; fileaccess.school.com; all resolve to the one IP, being the red interface of the frotn end firewall, after processing this then passes on to the orange interface of the backend firewall (isa 2k4) which then again after processing passes to the green interface of the backend firewall and any relevent server traffic get forwared to the server segment.

    Easier break down is here. (from a previous core network question i had, but this describes the server segment inrelation to the 2 firewalls, and implmentation of, but not using of, the DMZ)

    Is there a better way to configure the externally facing servers? As in - should i be utilising multiple public IP's opposed to resolving everything to one? Am i doing something wrong here, or i should be looking to do something in a more effective way?

    Thanks alot for the info and help guys!!

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    The benefits of using different IPs are limited except in certain circumstances. The main one is SSL usage, an SSL certificate can only be applied to a single ip interface so if you have multiple sites that use different SSL certs you will need to use different IPs.

    Other considerations are really old browsers which do not send the subdomain information in their request, this can cause traffic to be misdirected to the primary site on the ip address. This is not a big concern though as very few people still use a browser old enough to be tripped up by this.

    The next issue is cpu cycles on your firewall, using different ip addresses can simplify the job of the firewalls allowing them to handle more clients in parallel. Again this is probably not really a big concern for you in your setup.

  3. #3
    amfony's Avatar
    Join Date
    Jul 2007
    Location
    Sydney
    Posts
    161
    Thank Post
    29
    Thanked 13 Times in 13 Posts
    Rep Power
    17
    Thanks SynAck, quality work and thanks for the lightning reply.

    I have a curiosity question though if i may ... If ISA (which represents in my mind application layer filtering) and that is a fairly well recieved and recommended protection barrier amongst differing circles. Then doesnt that make the "DMZ" abit redundant as an idea?

    Im not saying you shouldnt avoid "egg shell" protection or have differing and multiple firewalls, but if you *can* have everything on the other side of a backend ISA firewall then where is the need for a DMZ?

    Maybe (very likley) i am just not aware of a scenario that defeats my thinking.

    Cheers again

  4. #4

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,400
    Thank Post
    636
    Thanked 961 Times in 661 Posts
    Blog Entries
    2
    Rep Power
    319
    The idea of the DMZ is that internet-facing servers are located on a separate network segment to your LAN servers. So if one internet server gets compromised, remote attackers can not gain access to your LAN.

SHARE:
+ Post New Thread

Similar Threads

  1. Best Practices: LDAP/Active Directory and Account Provisioning
    By cgabbadon in forum How do you do....it?
    Replies: 5
    Last Post: 16th December 2010, 10:48 AM
  2. External telephony and data at an external site.
    By ranj in forum Wireless Networks
    Replies: 12
    Last Post: 14th March 2008, 06:26 PM
  3. Replies: 4
    Last Post: 5th March 2008, 09:00 AM
  4. removing locally cached profiles
    By browolf in forum Wireless Networks
    Replies: 7
    Last Post: 17th January 2008, 11:39 AM
  5. Open a pdf without having to install adobe locally
    By ryan_powell in forum Windows
    Replies: 7
    Last Post: 28th September 2006, 06:37 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •