[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1977
  • Last Modified:

Setup a SonicWall 2040 to have a webserver in the DMZ

Here is what I have....

A web server running Windows Server 2003 that I want to put in the DMZ with a Public IP address
A Mircrosoft SQL 2005 Server that is on the LAN with a private addres (10.0.0.x)
A web application on the webserver that accesses and stores data on the SQL server.

I would really like to have my webserver in the DMZ, which is easy to do.  The only problem that I run into is that I need the web server to be able to communicate with the SQL server which it can't do by default in the DMZ.  There are 2 ports that I know I need to open to the SQL server, but how will my webserver be able to even find the SQL server and will I have to add any special routes to the SonicWall?  

Also, do I need to open any ports to allow for DNS or do I need to change the host file on the webserver to allow it to communicate with SQL by name and not just IP address?
0
doulos777
Asked:
doulos777
  • 5
  • 4
1 Solution
 
christsisCommented:
Shouldn't be a problem routing. It's no different than a standard router since it's a connected route it knows how to get there. The main thing you need to make sure is you just have the allow DMZ (web server IP) -> LAN (SQL 2005 IP) on the needed ports.

As far as DNS, it depends what you're trying to do. If you just do it by IP you shouldn't need anything additional since you're not worrying about resolving names. If you have an internal DNS server (e.g. for Active Directory) that handles DNSing and resolving internal IP's then you should be able to just add port 53 DMZ (web server IP) -> LAN (DNS server IP) and it shouldn't be a problem. If you don't have an internal DNS server and you want to reslove by computer name instead of a FQDN (fully qualified domain name) you would need to allow netbios broadcasts between DMZ & LAN. Last option would be just as you stated, edit the host file on the web server and not worry about additional ports passing through.

Chris
0
 
doulos777Author Commented:
What do you think I should put for my gateway on the Webserver's Network Card?  Do I make it the IP address of my ISP's router which is on the same subnet or do I make it the WAN port of the SonicWall which is also on the Same subnet?

Something else perhaps?
0
 
doulos777Author Commented:
I do have an internal DNS server on my LAN
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
christsisCommented:
Again it will depend how you're doing your setup. If you use "standard/transparent" mode then you'll have the public IP on the server and yes, it will point to the ISP gateway.

e.g.
ISP gateway: 1.2.3.1 255.255.255.248
Sonicwall WAN: 1.2.3.2 255.255.255.248
Web server: 1.2.3.3 255.255.255.248

Gateway on both the SonicWALL and Web server will be 1.2.3.1

If you setup the DMZ as NAT then clearly that changes everything and you will have to do passthroughs similar to doing WAN -> LAN.
0
 
doulos777Author Commented:
I have the gateway setup as my ISP's gateway and I have placed a statement on the firewall that allows the DMZ to communicate with the LAN on port 53.

The problem I am running into now is that when we access the website and try to log on, it takes forever to work - atleast the first time.  Sometimes it speeds up after that.  It looks like DNS to me, but I have that statement in the firewall.

FYI - the 2 servers on my LAN are a PDC with DNS and a SQL server that the website has to connect to.

THanks
0
 
christsisCommented:
What kind of authentication is going on? Is this a web based auth or are you trying to authenticate Windows users?

Best thing would be to check the log in the SonicWALL to see if you find any blocks that are occurring.
0
 
doulos777Author Commented:
It is web based, and I will check the logs.
0
 
doulos777Author Commented:
I looked at the log and tried to log into the website and nothing came up as blocked.
0
 
christsisCommented:
Next step would be to go into diagnostics and setup a packet trace on the SQL server IP and try again. (This could be difficult if it gets a lot of queries.)
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now