Re: DMZ design

DigitalVinyl wrote:
> Ansgar -59cobalt- Wiechers <usenet-2005@planetcobalt.net> wrote:
>> You don't want *any* host in the DMZ to be able to establish
>> connections into your private network, since that would break the
>> DMZ. Put the backend servers into the DMZ (or a separate second DMZ).
>> Replicate (push!) the relevant data from your backend servers to
>> servers in the DMZ. But *never* *ever* allow connections from the DMZ
>> to the internal network.
>
> In reality this is next to impossible in any real world scenario.

Wrong.

> What this would mean is near 100% of your servers would be DMZ'd.

Yeah. So?

> If you put SMTP servers in the DMZ they MUST reach in and deliver mail
> to exchange/notes.

No. It can easily be *pulled* from the SMTP server and fed to Exchange.
Outbound mail is sent through a smarthost. BTDT. Don't know about Notes,
though.

> DMZ these and you open more problems then you solve because RPC uses
> 10s of thousands of high ports as service ports.

There's no need to DMZ them.

cu
59cobalt

-- 
"Another option [for defragmentation] is to back up your important files,
erase the hard disk, then reinstall Mac OS X and your backed up files."
--http://docs.info.apple.com/article.html?artnum=25668