locked
Another "internal" NIC question RRS feed

  • Question

  •  

    I've gone through several of the threads and checked out Jeff's blog on the subject (great information BTW), but I'm still a little fuzzy on the internal NIC.  Is it recomended that it be on a seperate subnet than the external NIC (most all of the examples show this)?  Or is it totaly fine if internal and external are on the same subnet in the DMZ?

     

     

    for example:

    external

     ip -     74.29.48.21

    mask - 255.255.255.0

    gw  -    74.29.48.1

     

    internal

     ip -     74.29.48.22

    mask - 255.255.255.0

    gw  -    blank

     

    Thanks for your help!

     

    Wednesday, March 5, 2008 10:50 PM

Answers

  •  

    It is acceptable to have the internal and external NICs on the same subnet.  For example, if your DMZ only consists of one subnet.  It is important in this case that the internal NIC be properly connected to the internal network (through routing and firewall rules) and the external NIC be connected to the internet.  There should not be direct connectivity from the internet to your front end OCS server.
    Sunday, March 23, 2008 8:45 AM

All replies

  •  

    It is acceptable to have the internal and external NICs on the same subnet.  For example, if your DMZ only consists of one subnet.  It is important in this case that the internal NIC be properly connected to the internal network (through routing and firewall rules) and the external NIC be connected to the internet.  There should not be direct connectivity from the internet to your front end OCS server.
    Sunday, March 23, 2008 8:45 AM
  •  Joeuser99 wrote:

     

    I've gone through several of the threads and checked out Jeff's blog on the subject (great information BTW), but I'm still a little fuzzy on the internal NIC.  Is it recomended that it be on a seperate subnet than the external NIC (most all of the examples show this)?  Or is it totaly fine if internal and external are on the same subnet in the DMZ?

     

     

    That configuration works. In fact I have an older blog entry based on a production deployment I performed fitting this scenario.  Due to the way their DMZ and multiple firewalls were aligned, we ended up with the same IP subnetwork for both the internal and external interfaces, adding a third NIC with a single public IP which was physically connected to a separate external network for A/V connectivity.  I originally attempted to put the Internal, Access Edge, and WebConf IPs on the same NIC but the Edge server fused to pass external authentication connections (and any other MTLS traffic) on to the internal Front-End servers untill I moved the internal IP to a separate physical NIC.

    Monday, March 24, 2008 12:22 PM
    Moderator
  •  

    Thanks that seemed to work!  (sorry for the late reply I've been out for a while).
    Friday, May 2, 2008 5:08 PM