[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Having a domain member running in a DMZ
 Date:  Sun, 26 Jun 2005 21:33:08 -0400
On 6/26/05, Jonathan De Graeve <jonathan dot de dot graeve at imelda dot be> wrote:
> it's called: reverse proxy.

I agree completely.  You have to open up so much stuff for AD to work,
and open it to what are likely your most sensitive systems, your
domain controllers, it just isn't worth it.  If you're giving the host
that kind of access, you might as well leave it in the LAN.

The way I'd set it up, given that you're running IIS and ASP.NET, is
with a MS ISA 2004 box in the DMZ segment doing reverse proxying for
the LAN web server.  It does application layer protection for IIS
better than anything else.  Probably not a popular opinion on this
list, but that's what I'd do.  ;)

For an even better situation, put an ISA box in the DMZ, and the web
server off another interface.  Let the web server get to what it has
to, and nothing more (including not being able to initiate connections
to the Internet, throw in a rule that you leave disabled most of the
time to access Windows update).  That's better than leaving it on the

To answer the original question, you're probably having problems
because, from the sounds of it, you're trying to NAT between the DMZ
and the LAN.  You don't want to do that, just put in the appropriate
firewall rules and let it route between the subnets.  Then check your
firewall rules to make sure you're not dropping anything it needs.