How do you do....it? Thread, Locally hosted external presence - best practices in Technical; Hi Gang,
I have some questions in general about the locally hosted external presence i have implemented and use .
I have some questions in general about the locally hosted external presence i have implemented and use.
we host our schools external services locally on a fairly nice 5mb symmetrical link which provides us with about 4 usable public IPs. At present our external services all run off the one IP i have set as the red side of our external firewall, and ofcourse our A, MX and CNAME records all point (or end up pointing to) that 1 ip address.
So - www.school.com; mail.school.com; fileaccess.school.com; all resolve to the one IP, being the red interface of the frotn end firewall, after processing this then passes on to the orange interface of the backend firewall (isa 2k4) which then again after processing passes to the green interface of the backend firewall and any relevent server traffic get forwared to the server segment.
Easier break down is here. (from a previous core network question i had, but this describes the server segment inrelation to the 2 firewalls, and implmentation of, but not using of, the DMZ)
Is there a better way to configure the externally facing servers? As in - should i be utilising multiple public IP's opposed to resolving everything to one? Am i doing something wrong here, or i should be looking to do something in a more effective way?
The benefits of using different IPs are limited except in certain circumstances. The main one is SSL usage, an SSL certificate can only be applied to a single ip interface so if you have multiple sites that use different SSL certs you will need to use different IPs.
Other considerations are really old browsers which do not send the subdomain information in their request, this can cause traffic to be misdirected to the primary site on the ip address. This is not a big concern though as very few people still use a browser old enough to be tripped up by this.
The next issue is cpu cycles on your firewall, using different ip addresses can simplify the job of the firewalls allowing them to handle more clients in parallel. Again this is probably not really a big concern for you in your setup.
Thanks SynAck, quality work and thanks for the lightning reply.
I have a curiosity question though if i may ... If ISA (which represents in my mind application layer filtering) and that is a fairly well recieved and recommended protection barrier amongst differing circles. Then doesnt that make the "DMZ" abit redundant as an idea?
Im not saying you shouldnt avoid "egg shell" protection or have differing and multiple firewalls, but if you *can* have everything on the other side of a backend ISA firewall then where is the need for a DMZ?
Maybe (very likley) i am just not aware of a scenario that defeats my thinking.
The idea of the DMZ is that internet-facing servers are located on a separate network segment to your LAN servers. So if one internet server gets compromised, remote attackers can not gain access to your LAN.