Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Should the perimeter network contain ONLY dmz addresses?

Posted on 2011-02-17
3
Medium Priority
?
624 Views
Last Modified: 2012-05-11
Hello,

I'm configuring Forefront as a Back firewall. One adapter is plugged into DMZ other to Internal network. Now, as default Perimeter network contains all address, which are not specified under Internal. Should i remove all the addresses and leave only the DMZ ones or leave it as it is?

Thanks in advance.
0
Comment
Question by:Pifco1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34915244
No discussion here ISA must not have addresses in the local lay that are connected to it's external interface
0
 

Author Comment

by:Pifco1
ID: 34915259
Ok, let me explain clearly, Internal range 192.x.x.x, DMZ 20.x.x.x.
Now at the moment, (as default) perimeter network contains everything excluding 192.x.x.x range. Should it contain ONLY 20.x.x.x or it does not make a difference?
 
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 200 total points
ID: 34915384
then let me be equally clear.

In ISA's view, a perimeter is the name given to a third interface on the ISA host, it does not use the term DMZ even though that may be what you use the perimeter for.

With the exception of external, every interface on an ISA has its own LAT (local address Table) and MUST include all ip addresses for the subnets involved.

ANYthing that is connected to (or accessible by) the ISA's external-facing nic including anything between ISA's external nic and the internal nic of the external firewall PLUS anything on the Internet does not go into ANY lat.

If you have a third interface (default name is perimeter) then any ip addresses can be used on the connection but MUST go into that networks lat. This includes network ID and broadcast address.

For example on your internal network you have 192.168.1.0 - 192.168.10.255. This is the entry that would go into the internal lat - even if some of those subnets were only accessible through additional routers.

On you Perimeter nic you had devices in the range of 20.0.0.0 20.95.255.255 plus some devices in this small class A network of 10.0.0.0 - 10.0.0.255 with a class C mask then these entries would be added to the perimeter lat. If you add additional IP addresses into this perimeter then no issue as long as you add that subnet to the perimeter LAT.

Anything between the ISA's external nic and the outside world is classed as external and therefore does not need including in anythings lat.


0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question