Solved

Accessing file share of DMZ Server from LAN

Posted on 2008-10-15
8
1,642 Views
Last Modified: 2013-12-02
Hello All - We currently have all of our publically facing servers on our internal LAN (eek!), but we're moving them to a DMZ in the next few weeks. One of the last road blocks we're facing, is that these servers will need to have their file shares accessible from the LAN. Example: One of the servers is an FTP server, when a file gets dumped, our internal SQL Server will run a job that takes the file, processes it, and then deletes it. Currently, everything works fine, as both servers are on the LAN, both domain members, etc. so all the authentication works great.

How can we do this when the FTP server is in the DMZ and no longer part of the domain? I guess the 2 questions I need answered are: A) what ports will be required for this communication and B) What sort of authentication should we use? We don't want to allow DC functionality into the DMZ, so that's out of the question.

Any insight is appreciated! Thanks.
0
Comment
Question by:jamsan92011
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
8 Comments
 
LVL 5

Expert Comment

by:mren08
ID: 22726413
Well automatically I think if you're already running FTP on that box, why not just connect using FTP?

Otherwise, you could multihome this box, disable File and Print Sharing on the Internet interface, enable it on the Private LAN and just connect using SMB. You'll need to authenticate as a local user.
0
 
LVL 6

Expert Comment

by:thebradnetwork
ID: 22726606
I am not exactly sure why you would want to have a file server and a SQL server on a DMZ. I would use port forwarding for those servers. First off if you DMZ a server then you have basically bypassed any protection that you may have in place such as a firewall. With a SQL and file server if they are running public address on the outside of a network you are basically running without any protection. With port forwarding you can forward a public IP to a private address and only allow a specified port to be available. So with the FTP server (port 21) you can forward that port to your FTP server on the inside of the network and then you have protection and also its accessible from the outside. I would keep it simple because the more complex you make it the harder it is going to be to manage it. If your only reason of putting these servers on a DMZ is to make it available outside the network I would seriously consider port forwarding.
0
 

Author Comment

by:jamsan92011
ID: 22727007
Only the FTP server is in the DMZ, the SQL Server is on the private LAN. The goal is to allow file share access to the FTP server (sitting in the DMZ, not a member of the domain), to the SQL Server. We run jobs on the SQL box that pick up files from the FTP server, processes them, and then deletes them after it is done.

FTPing to that box is a last restor, as we have users that also map drives to the FTP drive share, and we prefer to keep it simple for them.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 6

Accepted Solution

by:
thebradnetwork earned 88 total points
ID: 22727183
I think I understand what you are saying. Why cant you move the FTP server on to the same network private network as the SQL server and then forward port 21 to the FTP server on the inside of the network. ISP can give you a public IP specifically for your FTP server. Some ISP that i have worked with give you 5 or so free static public address. You can usually call the ISP and find out what those address are and if they manage your router you can tell them to forward public address 68.119.50.101 to internal address 10.10.0.1 and open port 21. That should do it. That will allow people to access the FTP on the outside of your network as well as on the inside...and it also gives your FTP server firewall protection. I am having a hard time picturing in my head what you are trying to do...can you draw up some type of topography of how your existing network currently is setup.
0
 

Author Comment

by:jamsan92011
ID: 22727203
We prefer to keep an publicly accessible hosts in the DMZ. If those hosts were to get compromised, the firewall would deny most of the access the attacker would have if he were on the internal LAN.

Something like this would explain the topology: http://www.cisco.com/en/US/i/100001-200000/190001-200000/191001-192000/191634.jpg
0
 
LVL 5

Assisted Solution

by:mren08
mren08 earned 87 total points
ID: 22727237
Using just port forwarding is generally a fairly secure method but there's no reason why you can't use port forwarding for your FTP server in the DMZ..
The problem here is authentication for trusted users.

If you already have a DMZ, this sort of scenario is typical of what you use a DMZ for, and it's a solution that will give you greater security. If you don't want to extended your domain authentication into the DMZ, I can understand, but the cost here will be ease of accessibility for those users that have to use the server. Drive mapping won't be a problem however users will need to authenticate using local user accounts on the FTP server, each and every time. Due to the nature of FTP authentication I can't stress enough that you should have a very strong password policy implemented on this server.

If you don't plan to take the multi-homed route you can certainly secure the FTP server to a fairly good level.. this article details some things you may want to look at: http://www.windowsecurity.com/articles/secure_ftp_server.html

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

We were having a lot of "Heartbeat Alerts" in our SCOM environment, now "Heartbeat" in a SCOM environment for those of you who might not be familiar with SCOM is a packet of data sent from the agent to the management server on a regular basis, basic…
Having trouble getting your hands on Dynamics 365 Field Service or Project Service trial? Worry No More!!!
The viewer will learn how to simulate a series of coin tosses with the rand() function and learn how to make these “tosses” depend on a predetermined probability. Flipping Coins in Excel: Enter =RAND() into cell A2: Recalculate the random variable…
The viewer will learn how to use a discrete random variable to simulate the return on an investment over a period of years, create a Monte Carlo simulation using the discrete random variable, and create a graph to represent the possible returns over…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question