Re: iSeries in the DMZ? -- DOMINO400

You can add static routes to NIC cards on the iSeries to bind IP addresses
to any give NIC.
You can then Bind Domino HTTP to that IP address.

As far as security, you need to make sure your Domino HTTP is locked down
properly.

Sean

http://www.bedbathandbeyond.com

domino400-request@xxxxxxxxxxxx
Sent by: domino400-bounces+seanmurphy=bedbath.com@xxxxxxxxxxxx
05/18/2005 01:00 PM
Please respond to
domino400@xxxxxxxxxxxx

To
domino400@xxxxxxxxxxxx
cc

Subject
Domino400 Digest, Vol 3, Issue 112

Send Domino400 mailing list submissions to
domino400@xxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.midrange.com/mailman/listinfo/domino400
or, via email, send a message with subject or body 'help' to
domino400-request@xxxxxxxxxxxx

You can reach the person managing the list at
domino400-owner@xxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Domino400 digest..."

Today's Topics:

1. iSeries in the DMZ? (gregg.eldred@xxxxxxxxxxx)
2. Re: iSeries in the DMZ? (Robert Laing)
3. Re: iSeries in the DMZ? (gregg.eldred@xxxxxxxxxxx)
4. Re: iSeries in the DMZ? (rob@xxxxxxxxx)
5. Re: iSeries in the DMZ? (Patrick Trapp)
6. Re: iSeries in the DMZ? (Eric J Waters)

----------------------------------------------------------------------

message: 1
date: Wed, 18 May 2005 11:08:17 -0400
from: gregg.eldred@xxxxxxxxxxx
subject: iSeries in the DMZ?

Interesting topic came up today. Back in the day, a client ran Domino on
the 400, but then "things changed" and we moved it to several Windows
servers. Now, we are looking at moving our iNotes users to an iSeries and
kill off the remote, Windows-based iNotes server. However, since these
users will be strictly iNotes, and they are coming in from the internet,
do you have some suggestions as to how I can architect this so that,
maybe, one partition is in the DMZ and the others are inside the firewall?

Is this possible? I worry less that OS/400 will get hacked, but I want to
minimize this as well. You know that it would help if I am doing something

that has already been done. The iSeries that we are looking at is one in
the 520/550 line. I am thinking that all I really need is a high level
view at this point, a "proof of concept," if you will.

Thanks.

Gregg

------------------------------

message: 2
date: Wed, 18 May 2005 11:33:35 -0400
from: Robert Laing <rlaing@xxxxxxxxx>
subject: Re: iSeries in the DMZ?

Would using multiple NIC's in the iSeries provide the necessary sec
urity ? For example one NIC visable to the outside world, the ot only
visible to the inside world ?

Bob

Interesting topic came up today. Back in the day, a client ran D the
400, but then "things changed" and we moved it to servers. Now, we are
looking at moving our iNot and
kill off the remote, Windows-based i users will be strictly iNote do
you have some s maybe, one p firewall?
to<B something
that has already been done. The iSeries that we are the 520/550
line. I am thinking that all I view at this point, a "proof of co
Thanks.

Gregg
________________________<BR >This is the Lotus Domino on the
iSeries / AS400 (Domino400) maili list
To post a message email: Domino400@xxxxxxxxxxxx
</TT visit: or email: Domino Before posting, please take a
moment t at http://archive.midrange.com/domino400.

------------------------------

message: 3
date: Wed, 18 May 2005 11:37:54 -0400
from: gregg.eldred@xxxxxxxxxxx
subject: Re: iSeries in the DMZ?

domino400-bounces+gregg.eldred=ns-tech.com@xxxxxxxxxxxx wrote on
05/18/2005 11:33:35 AM:

> Would using multiple NIC's in the iSeries provide the necessary
> security ? For example one NIC visable to the outside world, the
> other NIC only visible to the inside world ?
>
> Bob
>
Bob:

Excellent idea! I was thinking only of the Domino portion and didn't see
the forest for the trees. That sounds really good.

Thanks.

Gregg

------------------------------

message: 4
date: Wed, 18 May 2005 10:54:08 -0500
from: rob@xxxxxxxxx
subject: Re: iSeries in the DMZ?

1 - Not sure if the NIC solution would work. Don't you have to ADDTCPIFC
the new nic anyway, and if so, wouldn't that open it up to the 400?
2 - We have a 570. It has multiple lpars. One of these is in the DMZ and

supports our domino based http://www.dekko.com.

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

gregg.eldred@xxxxxxxxxxx
Sent by: domino400-bounces+rob=dekko.com@xxxxxxxxxxxx
05/18/2005 10:37 AM
Please respond to
Lotus Domino on the iSeries / AS400 <domino400@xxxxxxxxxxxx>

To
Lotus Domino on the iSeries / AS400 <domino400@xxxxxxxxxxxx>
cc

Subject
Re: iSeries in the DMZ?

domino400-bounces+gregg.eldred=ns-tech.com@xxxxxxxxxxxx wrote on
05/18/2005 11:33:35 AM:

> Would using multiple NIC's in the iSeries provide the necessary
> security ? For example one NIC visable to the outside world, the
> other NIC only visible to the inside world ?
>
> Bob
>
Bob:

Excellent idea! I was thinking only of the Domino portion and didn't see
the forest for the trees. That sounds really good.

Thanks.

Gregg
_______________________________________________
This is the Lotus Domino on the iSeries / AS400 (Domino400) mailing list
To post a message email: Domino400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/domino400
or email: Domino400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/domino400.

------------------------------

message: 5
date: Wed, 18 May 2005 11:01:54 -0500
from: "Patrick Trapp" <ptrapp@xxxxxxxxxxxx>
subject: Re: iSeries in the DMZ?

I'm thinking that the LPAR route is what you would have to do to keep the
servers distinct. You can have the server available inside the DMZ and
inside the firewall with the multiple NICs, but I'm not sure how secure
you can make it if you are just putting multiple NICs on the same server
instance.

There used to be a redbook out there that discussed this type of stuff,
but it's been years since I needed to see it, so I'm sure it's way out of
date. Might still be of use to you...

Patrick

rob@xxxxxxxxx
Sent by: domino400-bounces+ptrapp=nex-tech.com@xxxxxxxxxxxx
05/18/2005 10:54 AM
Please respond to
Lotus Domino on the iSeries / AS400 <domino400@xxxxxxxxxxxx>

To
Lotus Domino on the iSeries / AS400 <domino400@xxxxxxxxxxxx>
cc

Subject
Re: iSeries in the DMZ?

supports our domino based http://www.dekko.com.

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

gregg.eldred@xxxxxxxxxxx
Sent by: domino400-bounces+rob=dekko.com@xxxxxxxxxxxx
05/18/2005 10:37 AM
Please respond to
Lotus Domino on the iSeries / AS400 <domino400@xxxxxxxxxxxx>

To
Lotus Domino on the iSeries / AS400 <domino400@xxxxxxxxxxxx>
cc

Subject
Re: iSeries in the DMZ?

domino400-bounces+gregg.eldred=ns-tech.com@xxxxxxxxxxxx wrote on
05/18/2005 11:33:35 AM:

> Would using multiple NIC's in the iSeries provide the necessary
> security ? For example one NIC visable to the outside world, the
> other NIC only visible to the inside world ?
>
> Bob
>
Bob:

Excellent idea! I was thinking only of the Domino portion and didn't see
the forest for the trees. That sounds really good.

Thanks.

_______________________________________________
This is the Lotus Domino on the iSeries / AS400 (Domino400) mailing list
To post a message email: Domino400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/domino400
or email: Domino400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/domino400.

------------------------------

message: 6
date: Wed, 18 May 2005 12:46:04 -0400
from: Eric J Waters <ewaters2@xxxxxxx>
subject: Re: iSeries in the DMZ?

I agree with this option and move to a configuration NAB so that your
address book in the DMZ does not have any person docs or groups in it.
Domino will still authenticate and use the groups for mailings when you
setup the central directory structure for this server(s).

Regards,
Eric Waters

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit
written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

rob@xxxxxxxxx
Sent by:
domino400-bounces To

+ewaters2=csc.com Lotus Domino on the iSeries / AS400

@midrange.com <domino400@xxxxxxxxxxxx>
cc

05/18/2005 11:54 Subject

AM Re: iSeries in the DMZ?

Please respond to
Lotus Domino on
the iSeries /
AS400
<domino400@midran
ge.com>

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

gregg.eldred@xxxxxxxxxxx
Sent by: domino400-bounces+rob=dekko.com@xxxxxxxxxxxx
05/18/2005 10:37 AM
Please respond to
Lotus Domino on the iSeries / AS400 <domino400@xxxxxxxxxxxx>

To
Lotus Domino on the iSeries / AS400 <domino400@xxxxxxxxxxxx>
cc

Subject
Re: iSeries in the DMZ?

domino400-bounces+gregg.eldred=ns-tech.com@xxxxxxxxxxxx wrote on
05/18/2005 11:33:35 AM:

> Would using multiple NIC's in the iSeries provide the necessary
> security ? For example one NIC visable to the outside world, the
> other NIC only visible to the inside world ?
>
> Bob
>
Bob:

Excellent idea! I was thinking only of the Domino portion and didn't see
the forest for the trees. That sounds really good.

Thanks.

------------------------------

_______________________________________________
This is the Lotus Domino on the iSeries / AS400 (Domino400) digest list
To post a message email: Domino400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/domino400
or email: Domino400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/domino400.

End of Domino400 Digest, Vol 3, Issue 112
*****************************************