new DMZ, web server needs to get to SQL server

Posted on 2007-07-31
Last Modified: 2011-09-20
Firewall Question:  I have an Astaro 120 Firewall/Gateway and our company recently purchased a web server to be placed in a DMZ.  I am new to networking and have read that I want to set up the firewall to drop all packets from the DMZ to our internal LAN, BUT our SQL server we use internally is (hopefully) going to server data to the web server upon request.  What is the right way to have our web server in the DMZ but to still have access to our SQL server on the LAN?  Or am I thinking about this the wrong way?
Question by:kbdaemon
    1 Comment
    LVL 11

    Accepted Solution

    Yep, you're thinking about it in the correct way.  I'm not familiar with your firewall to give you exact commands, but you have the idea.  At a high level, think of it as three different zones:

    LAN - trusted
    DMZ - semi-trusted
    Internet - not trusted

    You would setup your DMZ zone so that it would initially have no access to your internal LAN.  You could allow it to make outbound Internet requests freely (if you so choose), but it itself cannot initiate connections to the LAN.  Once you know that this is working as designed, you can now "poke" a hole from the DMZ to your LAN so that the web server in the DMZ can make SQL server requests.  But you would configure the firewall so that the web server (Ex. can initiate requests only to SQL server (Ex., and then only on the necessary ports (1433 for SQL by default).  So you want to be as specific as possible to minimize your risk.  

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
    Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now