Solved: Re: IIS, ISA, and an ASA5510 DMZ

sgoethals1 · ‎11-08-2008

I need some advise on setting up a DMZ on the ASA5510. We have an IIS server that communicates with an SQL database.

I have been told that the IIS server should be placed in the DMZ and that I can establish communication back to the SQL server on the internal network.

I have also heard that I can leave the IIS server on the internal network and simply publish it with an ISA server sitting on the DMZ. This way the ISA server can communicate with the IIS server (which is a member of the domain), and not worry about having to expose active directory.

Any thoughts on this? I want to set this up right the first time, and I am not really sure what is the best way to do this.

husycisco · ‎11-09-2008

Its up to software engineering team, they may use sql authentication either with sa pass or any other sql login.

Regards

View solution in original post

husycisco · ‎11-08-2008

Hello Scott,

That depends on your design. Keep in mind that having another firewall in design increases administrative overhead and increases troubleshooting time. Plus, a software firewall that is running on the most vulnerable operating system like ISA increases the chances of Single Point of Failure, when implemented inline. Yet it degrades the performance since ASA firewall itself performs cut-through proxy, while ISA performs proxy.

In my humble opinion, best practise would be keeping IIS server in DMZ.

Regards

sgoethals1 · ‎11-08-2008

Thanks for the reply. Would you suggest then that the IIS server is setup using it's own Active Directory domain and that I create a one-way trust relationship between the two domains? I need to determine if outside users need to authenticate to IIS server. If this is the case, I will need to perform some form of authentication.

Let me know what you think...Thanks again.

husycisco · ‎11-08-2008

"I need to determine if outside users need to authenticate to IIS server. "

This is up to you. If you want a prior authentication to users before accessing the webserver, we can establish this with ASA, you dont need to create a seperate domain. You can install IAS in inside domain, and let ASA work with IAS for user accounts and actions.

I usually setup webservers in DMZ isolated, part of no domains or workgroups. But that totally depends on the web server's role. Is your webserver part of an ERP? You want it to be accessible publicly or by some certain users?

sgoethals1 · ‎11-08-2008

The IIS server is used to host our customer's websites, so it needs to be accessible publicly. The websites run a custom application that connects to an internal SQL server. I need to talk with the developers to find out how authentication to the SQL database takes place. I am not sure if they are using Windows authentication or just using a usercode defined within SQL. If I can get by without having to worry about Active directory and set this up as a standalone server, that would be my preference.

Thanks for responding...Scott

husycisco · ‎11-09-2008

Its up to software engineering team, they may use sql authentication either with sa pass or any other sql login.

Regards