rbunn
asked on
Web/mail server setup
Hello,
I am running a windows 2000 domain with about 60 pc's
the domain controller is running our SQL server, and there is a second domain controller running as a file server.
we want to add a mail server and and a web server to our network.
right now we have a symantec gateway 5420 firewall.
do I need to put the web and mail servers on a service network or dmz?
or can I use redircted services through the firewall to hide my web server and mail server in the domain?
not sure if this is very secure...
any thoughts?
thanks,
-Rob
I am running a windows 2000 domain with about 60 pc's
the domain controller is running our SQL server, and there is a second domain controller running as a file server.
we want to add a mail server and and a web server to our network.
right now we have a symantec gateway 5420 firewall.
do I need to put the web and mail servers on a service network or dmz?
or can I use redircted services through the firewall to hide my web server and mail server in the domain?
not sure if this is very secure...
any thoughts?
thanks,
-Rob
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Agree. This is exactly what DMZ's were designed for.
ASKER
ok, I have set up the dmz and the web serever seems to work or, but I can not connect to the sql server that is on the domain.
the SQL server uses domain authentication and will not let me add a non-domain user
if I put the web server back on the domain so I can access the sql server, what will be my biggest security risk?
What can I do to make it secure even though it is on the domain?
-rob
the SQL server uses domain authentication and will not let me add a non-domain user
if I put the web server back on the domain so I can access the sql server, what will be my biggest security risk?
What can I do to make it secure even though it is on the domain?
-rob
Your servers can be members of the (windows) domain even if they're not on the LAN. But it means you'd need to open DMZ->LAN ports on the firewall to allow the member servers to validate usernames against the global catalogs.
ASKER
Is this a big or minor security risk?