I have a web server (2K3) sitting inside the DMZ which accesses data inside
the domain via the firewall. All the data, including the web site, resides o
n
the data server and is an in-house application. The executables runs on the
web server and fetches the data the customer requests. We have two NICs in
the server; one is allowed only ports 80 and 443 traffic for public access.
The other is restricted by to four ports for access to the data server only.

We want to cluster two web servers but found out that to do so means they
must belong to a domain. We need the web site to reflect our domain so this
means we must add the web servers to the inside domain. This appears to me t
o
circumvent the whole idea behind a DMZ. Is there a way to secure the web
servers so that they can be on the domain and still be in the DMZ? If the we
b
server is compromised we don’t want them to have access inside.

[ Post a follow-up to this message ]

> must belong to a domain. We need the web site to reflect our domain so
> this
> means we must add the web servers to the inside domain.

I do not follow what is intended meaning of this "reflect" our domain.
If the one web server is able to accomplish everything needed now as
a stand-alone, then what is the issue requiring this "reflect"?
Two servers can be a pair of DCs in a domain and no one in the world
other than the admin, no machine in the world other than those two, have
any need to know the private domain name, its dns, etc. and yet those
two machines may answer to the outside by whatever DNS records
are registered in the world's DNS, and those two machines do not
even need to know what external DNS names were used.

"Tewhano" <Tewhano@discussions.microsoft.com> wrote in message
news:5D34B01D-CEAF-4FC2-A155-A51B821A9598@microsoft.com...
>I have a web server (2K3) sitting inside the DMZ which accesses data inside
> the domain via the firewall. All the data, including the web site, resides
> on
> the data server and is an in-house application. The executables runs on
> the
> web server and fetches the data the customer requests. We have two NICs in
> the server; one is allowed only ports 80 and 443 traffic for public
> access.
> The other is restricted by to four ports for access to the data server
> only.
>
> We want to cluster two web servers but found out that to do so means they
> must belong to a domain. We need the web site to reflect our domain so
> this
> means we must add the web servers to the inside domain. This appears to me
> to
> circumvent the whole idea behind a DMZ. Is there a way to secure the web
> servers so that they can be on the domain and still be in the DMZ? If the
> web
> server is compromised we don't want them to have access inside.
>

[ Post a follow-up to this message ]

I think I see what you are saying. So my domain is known outside by
mydomain.com and I put these two web servers in the DMZ and join them to a
domain called webdomain.com I can still have people hit the site as
securesite.mydomain.com?

[ Post a follow-up to this message ]

Yes.
The only machines that need to know of and use the DNS
zone that supports the AD are the machines in the forest of
the domain (or, optionally if W2k3 forestlevel Kerberos
trusts are used with external forest, those also).  IOW for
a single domain forest in the DMZ that has no external trusts
only those DMZ machines need to know the private DNS
zone used by that AD.
Any interface on any machine could still expose tcp 80/443
and it would not matter what external DNS names map to
the IPs on those interfaces, and those external names could
be used in host header IIS website differentiation if desired,
but otherwise those external names would not need to be
configured or used anywhere in the machines.

"Tewhano" <Tewhano@discussions.microsoft.com> wrote in message
news:80B77C3E-FC5B-499D-8BE4-49CAD53E7885@microsoft.com...
>
> I think I see what you are saying. So my domain is known outside by
> mydomain.com and I put these two web servers in the DMZ and join them to a
> domain called webdomain.com I can still have people hit the site as
> securesite.mydomain.com?

[ Post a follow-up to this message ]