Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Creating a DMZ zone with Servers from existing domain

If I create a DMZ zone, can I place servers from my current NT domain in it and still have logon capabilities and NETBIOS access to these servers? If so, does this require the use of access lists?

6 REPLIES
New Member

Re: Creating a DMZ zone with Servers from existing domain

By allowing NETBIOS between the two networks, you might as well place all the DMZ servers in your internal network. It is really not a good solution. The servers in the DMZ should NOT be a part of your internal NT domain. They should be as isolated as possible and only traffic absolutely required between both network should be allowed. The more stricter you can be the better. Ideally, no traffic between both networks should occur (but this is not always doable).

New Member

Re: Creating a DMZ zone with Servers from existing domain

I need to be able to write data to the server on the dmz from my internal. Is it ok to build this dmz server as part of the same domain as the internal and only allow one way traffic to the dmz or just build the server on the dmz as a separate domain?

Re: Creating a DMZ zone with Servers from existing domain

I am putting all my DMZ servers in their own seperate domain with trusts in place that allow only Internal to log onto the DMZ servers but not DMZ to log onto internal. This is in addition to any access lists. The DMZ is not visable in a browse list from internal but is still reachable via various methods. If you HAVE to make the DMZ servers part of the same domain make sure they are NOT domain controllers! By default High security (internal) should always be able to get to low security (DMZ).

New Member

Re: Creating a DMZ zone with Servers from existing domain

What trusts would I put in place if the dmz servers were to be part of a different domain. What do you mean by allowing internal servers to log onto the dmz servers? Do you mean just accessing them by means of a mapped drive?

New Member

Re: Creating a DMZ zone with Servers from existing domain

You should't trust servers in the DMZ. That is the reason to place them their in the first place. If you need to access these servers, look at protocols like secure FTP or Secure shell.

New Member

Re: Creating a DMZ zone with Servers from existing domain

Hi,

If you place a BDC or PDC in the DMZ you will be able to logon from your inside network to to PDC or BDC in the DMZ. For this task you don't need to open any Netbios port.

I will not recomand that you open any port from your DMZ to your Inside.

Hope it helped :)

107
Views
0
Helpful
6
Replies