Subnet

[aparikh80]

HEllo,
I am confused on Subnetting.
I am running a forest with 4 child domains.
My question is this I have a IIS box on my DMZ. I guess I dont know enough about this. my IIS box has two nic cards, the primary is a external IP from my DMZ. Can I turn the second one on to work with my LAn. to use AD credentials or no?I really am confused. please help

 

[skialta]

Highly recomended to NOT configure your 2nd NIC for your LAN..you would then bypass the entire purpose of the DMZ. You can still use AD credentials, you'll just have to open some specific ports but I'm not sure which. I'd recomend you work with your firewall group/vendor to open the appropriate ports and ensure the integrity of your LAN and DMZ.

 

[rmcp2k]

my friend turning on the second nic will make you lost your job! lol .why don't you NAT it.

 

[aparikh80]

THat makes sense. THat is what i todl my boss.
What do you mean by natting it? I am a little confused sorry.The reason I am wondeirng is that I want to eventually open sharepoint on my DMZ so all my users can get it to even remotely. but the problem is that It needs AD PAssthru.
THank YOu

 

[Supergrrover]

These are some of the ports that you will need to pass between your DMZ and LAN
88 - kerberos
445 - SMB
53 - DNS
137-139 - NetBIOS

These are good as well - ICMP
echo-reply
unreachable
source-quench
time-exceeded
echo

You may not need NetBIOS and/or SMB depending on the situation. Be sure to restrict where these can go and not open your entire LAN.



Brent
Systems Engineer / Consultant
CCNP