August 30, 2004

Getting SBS to work standalone in a DMZ with a single NIC

So earlier this evening I came across an interesting little "issue" with Small Business Server 2003. The wizards that work to configure the firewall and other major security settings fails to work correctly if you have a single nic card. Further to this, if you are not careful you bind both the internal AND external to the outside world. (Thank god this sucker is in a DMZ with some heavy iron on the outside to prevent the script kiddies from playing while I work this out)

Realizing it needs two ethernet cards to "do its things", I came up with the idea of using a virtual network adapter, similar to how VMWare works. After searching google for some time... I was hit with a tonne of bricks when I thought to myself ... "why not just fake it with a loopback device".

So I did.

Well, I tried anyways. Although I could add the loopback device in, I just couldn't seem to change the binding order, which was preventing me from setting the loopback device as the INTERNAL nic, and the real nic as the EXTERNAL one.

Solution?

Remove the real network device. Add the loopback device, and give it a private class C address (192.168.*). Add the real nic back. Configure it as per info from ISP. Walla. Small Business Server and ISA are none the wiser, and you can now use the direct broadband wizards correctly! Just finished tweaking the firewall and doing a vulnerability scan, nmap scan and pentest. It's locked down tight.

Next step when I have some spare time... to configure ISA to force authentication before access to any URL (including OWA) via HTTPS in a browser. I'll keep you posted on how I figure out how to make that work.

Posted by SilverStr at August 30, 2004 02:29 AM | TrackBack
Comments

Hello Dana,

I have a question that may not be in your area of expertise. However, I may be wrong. I recently viewed an MSDN web-cast presentation where the presenter briefly mentioned that SSL was only secure when data was sent from the client to the server. This quickly caught my attention as I did not have this understanding of SSL. Just to be sure I explicitly asked the presenter (via chat) to confirm what I thought I heard. He quickly stated that data was secure from the client to the server, and not from the server to the client.

Is this true? I have not been able to find any conclusive documentation using my google searches. There is plenty of documentation, but nothing I could find that clearly states that SSL encrypts data both to and from the server, or only in one direction.

If you can shed some light on this and possibly point me to some evidence, I would greatly appreciate it.

Mark Wagner
mark@crsw.com
http://blogs.crsw.com/mark

Posted by: Mark Wagner at August 30, 2004 08:16 AM

Mark,

It is a good and fair question. So much so, I think it deserves its own post. Let me go do that right now :)

Posted by: SilverStr at August 30, 2004 08:39 AM

Just make sure you tell someone of your setup when you describe this as this is "not" a normal SBS box.. as I said from the get-go you are not the normal SBS client ;-)

Posted by: Susan at August 30, 2004 03:12 PM

Not being normal is a good thing :)

It was once said that the difference between a normal man and a warrior is that a warrior sees everything as a challenge, and a normal man sees it as either a blessing or a curse.

To be challenges, and overcome is always rewarding.

So ya, I'm not a normal SBS user. And proud of it. :)

Posted by: SilverStr at August 30, 2004 03:46 PM