High level: configuring a hardware firewall for a Windows DC/AD/DNS?

I have configured software firewalls on servers in the past, so I am not a complete newb on these issues.

I will shortly have a fancy hardware firewall/security product coming my way.
Since I have more servers than this thing has ports, I also have a fancy gigabit switch coming my way:

I have set up DNS, several domain controllers, and SQL Server databases. My plan is to have the DCs "behind" the firewall and several IIS servers serving traffic. It would be nice if I can set up VPN so that remote users could access the file store.

I need to know at a high level what I should be doing to configure
a) the firewall for the DCs
b) the firewall for the DNS now and later (the DNS currently is improperly combined with the DCs)
c) the IIS boxes.

If there are "gotchas" to watch out for please advise. If there are best practices or resources please advise. Our staff is extremely limited (me) and our budget is somewhat limited, so what we need to do needs to live in our real world vs. what I might ideally do with $30,000 more to spend.

Keep in mind that I am familiar with the concepts of port blocking. Not familiar at all with "port forwarding" "tunnelling" and other things that will probably have to happen to make this all work. If you can define the basic concepts along the way I would very much appreciate it.

Thanks so much for your high-level guidance on how this should all fit.
Who is Participating?
Just about everything you want to do can be solved via access list and NAT.

1) Lets say you have a public IP for website 1, you have an access list to allow http and https traffic in from that IP. You can then have a NAT rule that says HTTP and HTTPS traffic from that public IP forwards to THIS internal IP.

2) You can do the above for anything you want, web, DNS, mail etc. Its best to limited the number of outside ports you allow in for security.

This will give you a good basic security setup.

To go more into it, some people have internal DNS, so that workstations other servers etc can access resources within the secured network, and a public DNS server that takes care of things like www.mywebsite.com maps to this IP. There are many firms that offer DNS hosting and that can make life really easy as well.
Don S.Commented:
Nothing to do for the DCs and DNSs as long as they are all on the inside (lan side) of the prosafe firewall.  Your prosafe will only allow you to publish one server per port to the ouside world so if you have multiple IIS servers that you want the internet to see, the Prosafe is not going to do it for you.
kennethfineAuthor Commented:
Thanks much. Would it be a rational approach to put the IIS boxes on the outside and protect them via software firewall, and figure out some mechanism for them to communicate as necessary with server resources on the LAN side?

What are my options? Seems one choice might be an el-cheapo firewall for each of the IIS boxes.

You're saying no configuration is going to be required for the servers behind the firewalls? How are DNS requests going to get routed to the DNS servers ? What is the "traffic flow", again? I think I understand this but I want to confirm?

We have a web setup a lot like what you are doing (only a bit larger) here's how I did it.

Everything is behind the outside firewalls, they plug into a switch, web servers also plug into that switch. I have a second set of firewalls that connect to switch, and all other servers sit behind those firewalls. So its a two firewall solution.

A few notes:

This can be done with with access list and vlans with one firewall if you want to control access from the web servers to AD/SQL/File servers/backup servers whatever.

A real important note here is that once you open ports for AD, SQL, File Srevers, backups server etc from your front end web servers into your "secure" back end you might as well not have a firewall there at all.

Some other network admins will just put everything behind one firewall and really make sure everything is locked down and thats good enough. In your case, that might be a good way to start.
kennethfineAuthor Commented:
Thanks much, cblake. Anything is going to be a vast improvement over what we've had to date.

I am assuming here that the IIS servers make DNS-related requests to the DNS servers, and because they're on the same LAN everything works fine. Is that correct? Is there any other  source of DNS-related traffic? I am still a little sketchy on how DNS servers that are behind firewalls mediate DNS requests. If this is a big topic maybe I should open a new EE question.

I assume an access list is a machine-specific entry to the firewall allowing access?

I assume a vlan is a virtual lan that allows LAN-esque connections between servers that might not actually be on the same subnet/in the same LAN? is that correct?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.