Solved

Should the perimeter network contain ONLY dmz addresses?

Posted on 2011-02-17
3
588 Views
Last Modified: 2012-05-11
Hello,

I'm configuring Forefront as a Back firewall. One adapter is plugged into DMZ other to Internal network. Now, as default Perimeter network contains all address, which are not specified under Internal. Should i remove all the addresses and leave only the DMZ ones or leave it as it is?

Thanks in advance.
0
Comment
Question by:Pifco1
  • 2
3 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34915244
No discussion here ISA must not have addresses in the local lay that are connected to it's external interface
0
 

Author Comment

by:Pifco1
ID: 34915259
Ok, let me explain clearly, Internal range 192.x.x.x, DMZ 20.x.x.x.
Now at the moment, (as default) perimeter network contains everything excluding 192.x.x.x range. Should it contain ONLY 20.x.x.x or it does not make a difference?
 
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 50 total points
ID: 34915384
then let me be equally clear.

In ISA's view, a perimeter is the name given to a third interface on the ISA host, it does not use the term DMZ even though that may be what you use the perimeter for.

With the exception of external, every interface on an ISA has its own LAT (local address Table) and MUST include all ip addresses for the subnets involved.

ANYthing that is connected to (or accessible by) the ISA's external-facing nic including anything between ISA's external nic and the internal nic of the external firewall PLUS anything on the Internet does not go into ANY lat.

If you have a third interface (default name is perimeter) then any ip addresses can be used on the connection but MUST go into that networks lat. This includes network ID and broadcast address.

For example on your internal network you have 192.168.1.0 - 192.168.10.255. This is the entry that would go into the internal lat - even if some of those subnets were only accessible through additional routers.

On you Perimeter nic you had devices in the range of 20.0.0.0 20.95.255.255 plus some devices in this small class A network of 10.0.0.0 - 10.0.0.255 with a class C mask then these entries would be added to the perimeter lat. If you add additional IP addresses into this perimeter then no issue as long as you add that subnet to the perimeter LAT.

Anything between the ISA's external nic and the outside world is classed as external and therefore does not need including in anythings lat.


0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ISA Server 2006 Replacement 33 3,020
Unable to browse a specific website 11 1,622
How to Setup & Deploy Proxy Settings on an iOS Device 4 785
Trying to publish Exchange 2010 OWA on TMG 2 73
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now