Internet access to Web Application behind Two Tier Firewall
Hi Experts,
The following is our network setup:
remote site---ISP Cisco router<---(VPN Leased Line)--->ISP Cisco router---Internal Firewall---(LAN)
|
(DMZ)
|
External Firewall
|
Internet
We have an IIS server (Server B) at remote site hosting an internal web application accessible from within the LAN and Remote site. We also have another IIS server (Server A) in the DMZ accessible from the internet.
Issue:
Remote users are requesting for their web server (Server B) to be accessible from the internet. And also, remote users have specifically stated that they do not wish to relocate their web server to HQ (DMZ).
Appreciate your advise on best practice guidelines to allow internet access to an internal Web Application behind a Two Tier Firewall system. Fyi, the firewall at the internet gateway and internal is Checkpoint and Symantec Enterprise respectively.
rgds,
Kenny
The following is our network setup:
remote site---ISP Cisco router<---(VPN Leased Line)--->ISP Cisco router---Internal Firewall---(LAN)
|
(DMZ)
|
External Firewall
|
Internet
We have an IIS server (Server B) at remote site hosting an internal web application accessible from within the LAN and Remote site. We also have another IIS server (Server A) in the DMZ accessible from the internet.
Issue:
Remote users are requesting for their web server (Server B) to be accessible from the internet. And also, remote users have specifically stated that they do not wish to relocate their web server to HQ (DMZ).
Appreciate your advise on best practice guidelines to allow internet access to an internal Web Application behind a Two Tier Firewall system. Fyi, the firewall at the internet gateway and internal is Checkpoint and Symantec Enterprise respectively.
rgds,
Kenny
Last Comment
ASKER
Hi Pkutter,
Option 1 and 2 are not feasible. However for option 3, instead of moving services, is it possible to utilise the existing DMZ's web server (Server A) to redirect request to remote site's web server (Server B)? Fyi, we have registered for a new public domain name and public IP specifically for the remote site's web server. Temporarily, on our Checkpoint FW, we nat'ed the public ip to the DMZ's web server ip.
To answer your query,
A. Why do they not want their server moved?
Remote users should be able to access their web application locally in the event that there is no connectivity between remote and main site.
B. Can you be more specific as to what models and versions the network equipment is?
First tier firewall --> Checkpoint R55
Second tier firewall --> Symantec Enterprise 8.0
ISP's Cisco Router --> Cisco 2600
Web Server --> Windows 2003 / IIS 6.0
Web Application --> Sharepoint Portal
C. What speed is the line to the remote site?
Remote site : 1 Mbps vpn leased line
D. Will having the server there with internet traffic impact the performance of the services that are already running across that line?
No comment at this moment as we are still monitoring the traffic.
P/s: Im curious about the "possible to do a port map through both firewalls"...if you have a url link for me to gather more infor, i would appreciate that very much
rgds,
Kenny
Option 1 and 2 are not feasible. However for option 3, instead of moving services, is it possible to utilise the existing DMZ's web server (Server A) to redirect request to remote site's web server (Server B)? Fyi, we have registered for a new public domain name and public IP specifically for the remote site's web server. Temporarily, on our Checkpoint FW, we nat'ed the public ip to the DMZ's web server ip.
To answer your query,
A. Why do they not want their server moved?
Remote users should be able to access their web application locally in the event that there is no connectivity between remote and main site.
B. Can you be more specific as to what models and versions the network equipment is?
First tier firewall --> Checkpoint R55
Second tier firewall --> Symantec Enterprise 8.0
ISP's Cisco Router --> Cisco 2600
Web Server --> Windows 2003 / IIS 6.0
Web Application --> Sharepoint Portal
C. What speed is the line to the remote site?
Remote site : 1 Mbps vpn leased line
D. Will having the server there with internet traffic impact the performance of the services that are already running across that line?
No comment at this moment as we are still monitoring the traffic.
P/s: Im curious about the "possible to do a port map through both firewalls"...if you have a url link for me to gather more infor, i would appreciate that very much
rgds,
Kenny
In looking through one of your other questions I saw a reference to a remote site having a domain controller. Is this remote site the some one? Is this server a domain controller? If so we probably shouldn't move it.
In either the port map idea or the redirected web server in the DMZ you would still be allowing public internet traffic across your LAN. This could expose your LAN considerable to malicious attacks from the internet. If you have a limited number of users accessing this server you could limit connections based on source IP address. You would have to gather and maintain a list of allowed IPs. If this is a server that is going to be available to the general public this idea won't work.
The preferred method would still be to put a new server in the DMZ to host this service. To mitigate the chances of downtime you could install a second T1 at the remote site for load balancing and redundancy. I prefer to use 2 different ISPs when I do this so that if one ISP has problems the other is less likely to experience the same issue at the same time. If you have a layer 3 switch at the remote site or an additional router (one that you control rather than the ISP) with 3 ethernet interfaces it shouldn't be too difficult.
Here is how to do a port forward on the checkpoint. I still don't think this is a secure way of configuring it though. I don't have a link or anything. This currently something that I do on our checkpoint. I found it on the internet years ago. I'm not sure if it's exactly supported by checkpoint though. I asked their tech support about it once and the tech told me it wasn't possible.
In smart dashboard go to the security tab.
create a new rule.
create a new service
type should be "other"
give it a name.
IP Protocol can be left blank.
go to Advanced
in the "match" field put the following and modify port and IP address for your application
SRV_REDIRECT(81,10.10.10.1
This should forward anything coming in on port 81 and send it to the internal IP of 10.10.10.100 on port 80.
You can also do this to use the same incoming port and destination port.
SRV_REDIRECT(81,10.10.10.1
In your current configuration you would need to port forward from your checkpoint to the symantec and then to the server at the remote site, assuming you are doing NAT in both firewalls. I don't know how to do a port forward in a the symantec.
One other thought. R55 on the checkpoint is a bit dated. If possible it would be a good idea to get it updated.
In either the port map idea or the redirected web server in the DMZ you would still be allowing public internet traffic across your LAN. This could expose your LAN considerable to malicious attacks from the internet. If you have a limited number of users accessing this server you could limit connections based on source IP address. You would have to gather and maintain a list of allowed IPs. If this is a server that is going to be available to the general public this idea won't work.
The preferred method would still be to put a new server in the DMZ to host this service. To mitigate the chances of downtime you could install a second T1 at the remote site for load balancing and redundancy. I prefer to use 2 different ISPs when I do this so that if one ISP has problems the other is less likely to experience the same issue at the same time. If you have a layer 3 switch at the remote site or an additional router (one that you control rather than the ISP) with 3 ethernet interfaces it shouldn't be too difficult.
Here is how to do a port forward on the checkpoint. I still don't think this is a secure way of configuring it though. I don't have a link or anything. This currently something that I do on our checkpoint. I found it on the internet years ago. I'm not sure if it's exactly supported by checkpoint though. I asked their tech support about it once and the tech told me it wasn't possible.
In smart dashboard go to the security tab.
create a new rule.
create a new service
type should be "other"
give it a name.
IP Protocol can be left blank.
go to Advanced
in the "match" field put the following and modify port and IP address for your application
SRV_REDIRECT(81,10.10.10.1
This should forward anything coming in on port 81 and send it to the internal IP of 10.10.10.100 on port 80.
You can also do this to use the same incoming port and destination port.
SRV_REDIRECT(81,10.10.10.1
In your current configuration you would need to port forward from your checkpoint to the symantec and then to the server at the remote site, assuming you are doing NAT in both firewalls. I don't know how to do a port forward in a the symantec.
One other thought. R55 on the checkpoint is a bit dated. If possible it would be a good idea to get it updated.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Windows Server 2003
Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).
129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
1. Get internet access at the remote site and get another firewall with a DMZ.
2. If all of your hardware between your internet connection and the remote site support VLAN trunks you could create a separate VLAN for the internet traffic. This solution could become a headache in a hurry as you are dealing with multiple vendors.
3.Maybe get them a new server and put it on the DMZ at the main site. Then move whichever service it is that they would like to have available to the internet to the new server, assuming this isn't the primary role of the Server at the remote site.
If this doesn't help, we may need some more information.
A. Why do they not want their server moved?
B. Can you be more specific as to what models and versions the network equipment is?
C. What speed is the line to the remote site?
D. Will having the server there with internet traffic impact the performance of the services that are already running across that line?