Solved

DMZ? with LAN? CiscoPIX515E

Posted on 2007-03-27
11
363 Views
Last Modified: 2010-04-17
Hi Guys,

Ok here is the deal....I am working with a new company and when i got here "disaster!" first of all when you click on network neighborhood and you get to your domain, it gives a message "The network path is invalid!!!!!!" so right away something is wrong.

The setup here is a Cisco PIX515E with a DMZ let me lay it out.

-Active Directory is running in mixed-mode.
-There are 2 domain controllers
-1 domain controller named "accpac" Windows 2000 Server is in the "inside" network 192.9.200.3
-The other domain controller named "XMAIL" Windows Server 2003 is in the DMZ running Exchange 192.168.123.200
-A Web server is running in the DMZ Windows98 192.168.123.20
-All workstations are in the "inside" lan not yet joined to the domain

I joined my workstation to the domain and that worked however still unable to browse the network. DNS does not replicate  "not even sure if its configured right"

The network here is complete mess and i don't want to start playing with it as the company cannot afford downtime, so i am just gluing with spit for now. Please don't laugh at me as i am not the one who did this...I just need to figure a way out. PLS HELP!!!!


0
Comment
Question by:itcasgrain
  • 5
  • 3
  • 3
11 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 18804158
What is a domain controller and Exchange doing in the DMZ.
I would schedule a short period of downtime to move it inside, give it a new IP address and then reconfigure the PIX. Some of the domain problems probably come from the fact that the domain controller and the clients are separated by the firewall.

A web server in the DMZ running Windows 98?
If that machine hasn't been hacked already it will not be long. I wouldn't bring that inside the firewall. I would be looking to lift the data off and then put that machine in the nearest skip.

Simon.
0
 
LVL 9

Accepted Solution

by:
robjeeves earned 500 total points
ID: 18804250
Ut oh :)

Doesn't sound good mate.  Exchange in the DMZ is a big no no .  The problem with the DC in the DMZ is it's a big security risk not to mention unless they opened up all the ports to allow replication to take place it won't work properly when trying to talk to the internal 2000 DC.  I think you need to get in there on the weekend and fix it up. Schedule some downtime and do the following

Ensure all servers are patched
Ensure Exchange is patched
Run full AV scan on the 2003 box
Move the 2003/Exchange into the internal network and port forward 25 from external network to the new internal ip you give to the 2003/Exchange.  If they are running OWA you'll need to forward 443 (they are using SSL aren't they :) also

See this for changing the IP http://technet2.microsoft.com/WindowsServer/en/library/80e432f2-10b6-4768-8a3e-54e357e8fc441033.mspx?mfr=true

Once you have moved this box inside you need to run netdiag and dcdiag tools to identify issues that you have. Not to mention take a look in the event logs on the server to identify issues you have.

http://technet2.microsoft.com/WindowsServer/en/library/f7396ad6-0baa-4e66-8d18-17f83c5e4e6c1033.mspx?mfr=true

http://technet2.microsoft.com/WindowsServer/en/library/cf4926db-87ea-4f7a-9806-0b54e1c00a771033.mspx?mfr=true

Good luck

0
 
LVL 9

Expert Comment

by:robjeeves
ID: 18804254
Not again simon :) I need to buy a new keyboard, mine is just too slow
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18804263
I got me a nice new Microsoft Natural Keybaord 4000, back up to my old 50 wpm speed. ;-)

Simon.
0
 

Author Comment

by:itcasgrain
ID: 18807933
Thank You very much!!! You confirmed to me what I have been telling my superiors what has to be done....and now by reading this, it will be a done deal! Last week my superiors had scheduled a security expert to come in, take a look at our topology and suggest solution which also included removing the PIX and adding a new device.

We are planning the hardware changes first, then to the software deployment. Also, the network includes a Sun Server Running Solaris and a proprietary software....The File server "for now" is on the sun machine running NFS which we use Hummingbird connectivity software to access the NFS share.

I will post the suggestions from the consultant here and see if you geniuses agree...

Thanks again for all your help...You guys are the best!

Anthony
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 104

Expert Comment

by:Sembee
ID: 18809212
The "security consultant" will probably suggest the DMZ is left alone - they always do. Yet when challenged on why it is better for the security they go oddly quiet. The biggest killer is to tell them that putting a domain member in the DMZ requires port 135 to be open. If they think that is a good or even acceptable idea, I would show them the door.

Simon.
0
 

Author Comment

by:itcasgrain
ID: 18809305
Thanks Simbee my feelings exactly.... this is a topology that we want....we are going to have a T1 with a Cable modem running together as a shared bandwith also for redundancy should one go down the other still works.

Connect to a router which will supply DHCP to my clients, firewall/NAT, VPN connectivity. Have only one segment with port 80 forwarded to the web server, port 25 to the exchange box and thats it! nothing else. There will be only one domain controller and dns installed on the AD machine. We don't need Remote Desktop or OWA. Also ill be moving the data from the sun machine to a Windows Server 2003 server so the NFS connectivity will be killed.

Anthony
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18809334
The router shouldn't be doing DHCP. A Windows 2003 AD DC should be doing DHCP so that the correct information can be handed out and DNS populated correctly.

Simon.
0
 

Author Comment

by:itcasgrain
ID: 18809373
Perfect...but taking out all this dmz stuff and just having one segment with the 2 ports 80 and 25 pointing to the one machine... The AD controller also has Exchange, DNS and will serve DHCP, a member server will house ACCPAC and the 2nd member server is running BES and WSUS.

Are there any security risks that i should be worried about in this topology?

Anthony
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18809849
Port 80 is a risk I don't accept. I do not have that port open on any of my networks - https 443 ONLY, with a purchased SSL certificate.

Simon.
0
 
LVL 9

Expert Comment

by:robjeeves
ID: 18812293
G'day mate

Here is a good starting point for hardening IIS.  Well worth a read to allow you to sleep easier
http://www.microsoft.com/technet/security/prodtech/IIS.mspx

And although exchange is pretty good out the box this link has plenty of tips on hardening your deployment
http://technet.microsoft.com/en-us/library/300d578b-c7ec-4ff0-978b-da0d6bb89ab1.aspx

Rob
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Easy CSR creation in Exchange 2007,2010 and 2013
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now