jamsan92011
asked on
Accessing file share of DMZ Server from LAN
Hello All - We currently have all of our publically facing servers on our internal LAN (eek!), but we're moving them to a DMZ in the next few weeks. One of the last road blocks we're facing, is that these servers will need to have their file shares accessible from the LAN. Example: One of the servers is an FTP server, when a file gets dumped, our internal SQL Server will run a job that takes the file, processes it, and then deletes it. Currently, everything works fine, as both servers are on the LAN, both domain members, etc. so all the authentication works great.
How can we do this when the FTP server is in the DMZ and no longer part of the domain? I guess the 2 questions I need answered are: A) what ports will be required for this communication and B) What sort of authentication should we use? We don't want to allow DC functionality into the DMZ, so that's out of the question.
Any insight is appreciated! Thanks.
How can we do this when the FTP server is in the DMZ and no longer part of the domain? I guess the 2 questions I need answered are: A) what ports will be required for this communication and B) What sort of authentication should we use? We don't want to allow DC functionality into the DMZ, so that's out of the question.
Any insight is appreciated! Thanks.
I am not exactly sure why you would want to have a file server and a SQL server on a DMZ. I would use port forwarding for those servers. First off if you DMZ a server then you have basically bypassed any protection that you may have in place such as a firewall. With a SQL and file server if they are running public address on the outside of a network you are basically running without any protection. With port forwarding you can forward a public IP to a private address and only allow a specified port to be available. So with the FTP server (port 21) you can forward that port to your FTP server on the inside of the network and then you have protection and also its accessible from the outside. I would keep it simple because the more complex you make it the harder it is going to be to manage it. If your only reason of putting these servers on a DMZ is to make it available outside the network I would seriously consider port forwarding.
ASKER
Only the FTP server is in the DMZ, the SQL Server is on the private LAN. The goal is to allow file share access to the FTP server (sitting in the DMZ, not a member of the domain), to the SQL Server. We run jobs on the SQL box that pick up files from the FTP server, processes them, and then deletes them after it is done.
FTPing to that box is a last restor, as we have users that also map drives to the FTP drive share, and we prefer to keep it simple for them.
FTPing to that box is a last restor, as we have users that also map drives to the FTP drive share, and we prefer to keep it simple for them.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We prefer to keep an publicly accessible hosts in the DMZ. If those hosts were to get compromised, the firewall would deny most of the access the attacker would have if he were on the internal LAN.
Something like this would explain the topology: http://www.cisco.com/en/US/i/100001-200000/190001-200000/191001-192000/191634.jpg
Something like this would explain the topology: http://www.cisco.com/en/US/i/100001-200000/190001-200000/191001-192000/191634.jpg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Otherwise, you could multihome this box, disable File and Print Sharing on the Internet interface, enable it on the Private LAN and just connect using SMB. You'll need to authenticate as a local user.