I need some advise on setting up a DMZ on the ASA5510. We have an IIS server that communicates with an SQL database.
I have been told that the IIS server should be placed in the DMZ and that I can establish communication back to the SQL server on the internal network.
I have also heard that I can leave the IIS server on the internal network and simply publish it with an ISA server sitting on the DMZ. This way the ISA server can communicate with the IIS server (which is a member of the domain), and not worry about having to expose active directory.
Any thoughts on this? I want to set this up right the first time, and I am not really sure what is the best way to do this.
That depends on your design. Keep in mind that having another firewall in design increases administrative overhead and increases troubleshooting time. Plus, a software firewall that is running on the most vulnerable operating system like ISA increases the chances of Single Point of Failure, when implemented inline. Yet it degrades the performance since ASA firewall itself performs cut-through proxy, while ISA performs proxy.
In my humble opinion, best practise would be keeping IIS server in DMZ.
Thanks for the reply. Would you suggest then that the IIS server is setup using it's own Active Directory domain and that I create a one-way trust relationship between the two domains? I need to determine if outside users need to authenticate to IIS server. If this is the case, I will need to perform some form of authentication.
"I need to determine if outside users need to authenticate to IIS server. "
This is up to you. If you want a prior authentication to users before accessing the webserver, we can establish this with ASA, you dont need to create a seperate domain. You can install IAS in inside domain, and let ASA work with IAS for user accounts and actions.
I usually setup webservers in DMZ isolated, part of no domains or workgroups. But that totally depends on the web server's role. Is your webserver part of an ERP? You want it to be accessible publicly or by some certain users?
The IIS server is used to host our customer's websites, so it needs to be accessible publicly. The websites run a custom application that connects to an internal SQL server. I need to talk with the developers to find out how authentication to the SQL database takes place. I am not sure if they are using Windows authentication or just using a usercode defined within SQL. If I can get by without having to worry about Active directory and set this up as a standalone server, that would be my preference.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :