Abstract
This chapter covers the principles of trihomed demilitarized zone (DMZ) configuration. DMZ segment can have public or private addresses. “Back-to-back DMZ” can be created on ISA server assembled computers and back-to-back DMZ can have public or private network addresses. The private address DMZ segment is not considered as a direct extension of the Internet because a network address translator or proxy has to be interposed between the private address DMZ hosts and the Internet. The private address DMZ segment is more secure because there is no way to directly route packets to and the Internet; the packets must traverse the Network Address Translation (NAT) or proxy. NAT never applies to packets moving between the external network and the trihomed DMZ segment. The reason for this is the trihomed DMZ segment that must always contain public addresses. In addition, these packets are not subject to same access policies that control inbound and outbound access through publishing and protocol rules. The ISA server acts as a packet-filtering router instead of providing full featured firewall capabilities available when publishing and protocol rules are used.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
