Avatar of kenny_klbn
kenny_klbnFlag for Brunei Darussalam

asked on 

Internet access to Web Application behind Two Tier Firewall

Hi Experts,
The following is our network setup:

remote site---ISP Cisco router<---(VPN Leased Line)--->ISP Cisco router---Internal Firewall---(LAN)
                                                                                                                                External Firewall

We have an IIS server (Server B) at remote site hosting an internal web application accessible from within the LAN and Remote site. We also have another IIS server (Server A) in the DMZ accessible from the internet.

Remote users are requesting for their web server (Server B) to be accessible from the internet. And also, remote users have specifically stated that they do not wish to relocate their web server to HQ (DMZ).

Appreciate your advise on best practice guidelines to allow internet access to an internal Web Application behind a Two Tier Firewall system. Fyi, the firewall at the internet gateway and internal is Checkpoint and Symantec Enterprise respectively.

Software FirewallsMicrosoft IIS Web ServerWindows Server 2003

Avatar of undefined
Last Comment
Avatar of pkutter

It would be possible to do a port map through both firewalls, however I would recommend very strongly against this. This would allow internet traffic across your LAN. I assume from your diagram that there is no direct internet at the remote site. If their server cant be put on your DMZ I see 2 possible solutions.

1. Get internet access at the remote site and get another firewall with a DMZ.

2. If all of your hardware between your internet connection and the remote site support VLAN trunks you could create a separate VLAN for the internet traffic. This solution could become a headache in a hurry as you are dealing with multiple vendors.

3.Maybe get them a new server and put it on the DMZ at the main site. Then move whichever service it is that they would like to have available to the internet to the new server, assuming this isn't the primary role of the Server at the remote site.

If this doesn't help, we may need some more information.

A. Why do they not want their server moved?

B. Can you be more specific as to what models and versions the network equipment is?

C. What speed is the line to the remote site?

D. Will having the server there with internet traffic impact the performance of the services that are already running across that line?
Avatar of kenny_klbn
Flag of Brunei Darussalam image


Hi Pkutter,

Option 1 and 2 are not feasible. However for option 3, instead of moving services, is it possible to utilise the existing DMZ's web server (Server A) to redirect request to remote site's web server (Server B)? Fyi, we have registered for a new public domain name and public IP specifically for the remote site's web server. Temporarily, on our Checkpoint FW, we nat'ed the public ip to the DMZ's web server ip.

To answer your query,
A. Why do they not want their server moved?
Remote users should be able to access their web application locally in the event that there is no connectivity between remote and main site.

B. Can you be more specific as to what models and versions the network equipment is?
First tier firewall --> Checkpoint R55
Second tier firewall --> Symantec Enterprise 8.0
ISP's Cisco Router --> Cisco 2600
Web Server --> Windows 2003 / IIS 6.0
Web Application --> Sharepoint Portal

C. What speed is the line to the remote site?
Remote site : 1 Mbps vpn leased line

D. Will having the server there with internet traffic impact the performance of the services that are already running across that line?
No comment at this moment as we are still monitoring the traffic.

P/s: Im curious about the "possible to do a port map through both firewalls"...if you have a url link for me to gather more infor, i would appreciate that very much

Avatar of pkutter

In looking through one of your other questions I saw a reference to a remote site having a domain controller. Is this remote site the some one? Is this server a domain controller? If so we probably shouldn't move it.

In either the port map idea or the redirected web server in the DMZ you would still be allowing public internet traffic across your LAN. This could expose your LAN considerable to malicious attacks from the internet. If you have a limited number of users accessing this server you could limit connections based on source IP address. You would have to gather and maintain a list of allowed IPs. If this is a server that is going to be available to the general public this idea won't work.

The preferred method would still be to put a new server in the DMZ to host this service. To mitigate the chances of downtime you could install a second T1 at the remote site for load balancing and redundancy. I prefer to use 2 different ISPs when I do this so that if one ISP has problems the other is less likely to experience the same issue at the same time. If you have a layer 3 switch at the remote site or an additional router (one that you control rather than the ISP) with 3 ethernet interfaces it shouldn't be too difficult.

Here is how to do a port forward on the checkpoint. I still don't think this is a secure way of configuring it though. I don't have a link or anything. This currently something that I do on our checkpoint. I found it on the internet years ago. I'm not sure if it's exactly supported by checkpoint though. I asked their tech support about it once and the tech told me it wasn't possible.

In smart dashboard go to the security tab.
create a new rule.
create a new service
type should be "other"
give it a name.
IP Protocol can be left blank.
go to Advanced
in the "match" field put the following and modify port and IP address for your application
This should forward anything coming in on port 81 and send it to the internal IP of on port 80.

You can also do this to use the same incoming port and destination port.

In your current configuration you would need to port forward from your checkpoint to the symantec and then to the server at the remote site, assuming you are doing NAT in both firewalls. I don't know how to do a port forward in a the symantec.

One other thought. R55 on the checkpoint is a bit dated. If possible it would be a good idea to get it updated.
Avatar of pkutter

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Windows Server 2003
Windows Server 2003

Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo