Resourse Order (Real Easy Question)

Working on a network diagram.  I have an outside interface, DMZ with web server connecting to SQL.  Should the SQL be behind the DMZ, or in the DMZ?  SQL needs to connect to Exchange only for mailing internally, nothing external.  I wish we could draw pictures for this .....

Outside Interface <---------->DMZ (Web Site, SQL) DMZ -----------> Secure Network (Exchange Backend)

or

Outside Interface <---------->DMZ (Web Site) DMZ -------------> Secure Network (Exchange Backend, SQL)

Now for the question.  Which method is preferred?  What do I have to allow through the DMZ to internal in order for SQL to talk to exchange for option 1?
LVL 2
ibtayaAsked:
Who is Participating?
 
Erik BjersConnect With a Mentor Principal Systems AdministratorCommented:
I think option 2 is best, you should only have your web/ external mail server in the DMZ, all servers that support the website/ mail system should be behinde the inside firewall.  To allow your web server to access SQL server you need to open the ports used to access the server in your firewall.  I would create a very restrictive rule allowing inbound connections on SQL ports from IP of webserver to IP of SQL server.

eb  
0
 
ibtayaAuthor Commented:
Thanks eb, that's what I was thinking, just needed to hear it from someone else.
0
 
dooleydogCommented:
i would prefer to keep the SQL server internally and allow only certain IP addresses to send data to the SQL server through the firewall,

Good Luck,
0
 
Erik BjersPrincipal Systems AdministratorCommented:
good luck

eb
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.