access rules for webserver

I have webserver member of domain , i will move it to Dmz,but it is  reading from database sql server.
i will give access rule wan-------->webserver(http,https_)---dmz
                                    Dmz(webserver)-------->lan(sql port,Dns)
                                    lan-------------->dmz(sql port)
is that true?
also my IIS in my webserver is not send e-mails to my internal client,why,?
also I configure the IIS to use (exchange -smart)
i_harfoushAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mindwiseCommented:
Hi I Harfoush,

Your rulebase seems alright, i doubt you need to open sql from lan to dmz though.
For iis to send mail to internal, i think you need to open at least port 25 (smtp) from dmz to lan.

with 'smart' you mean you set up iis to be a smarthost for exchange i guess ??
(since making a lan device (exchange i guess!!) a smarthost for a device in the DMZ sounds nasty....
Try http://www.petri.co.il/configure_iis_to_be_a_smart_host_for_exchange.htm for details on that.

Have fun,
0
i_harfoushAuthor Commented:
you know boss, I did all of these , the e-mail stuck in the categorizer of exchange also i tried to put webserver in lan,still the emails stuck in categorizer why i dunno?any solution
0
qbakiesCommented:
My webservers in the DMZ all require email and SQL access to the inside so we are very similar in setup.  You will just need to open 1433 from DMZ to LAN, nothing from LAN to DMZ since it has a higher base security-level.  For email I setup IIS SMTP virtual server to avoid having to pass mail to the LAN.  The fewer holes you need to punch in the firewall the more secure it will be.
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

i_harfoushAuthor Commented:
mm qbakies, in the Relay setting in exchange 2003, i have to enter the real ip address of my webserver,or internal ip , or what exactly??
0
i_harfoushAuthor Commented:
and one more question the Dns of ur webserver, is the dns for ur Isp or ur internal dns-domain controller
0
qbakiesCommented:
"mm qbakies, in the Relay setting in exchange 2003, i have to enter the real ip address of my webserver,or internal ip , or what exactly??"

Like I said, I use IIS to send my emails from the webserver so I don't pass email to the exchange server; but if you are trying to allow relaying you need to enter the IP of the webserver itself, not the web site running on the webserver.

-----------------------

"and one more question the Dns of ur webserver, is the dns for ur Isp or ur internal dns-domain controller"

I use my internal DNS server so I don't have to adjust the host files.
0
i_harfoushAuthor Commented:
you need to open a port for Dns or no need>?
0
qbakiesCommented:
I have tcp and udp open to my DNS server on port 53.
0
i_harfoushAuthor Commented:
open 53  port on both directions?
0
qbakiesCommented:
You never need to open from LAN -> DMZ because the LAN interface should have a higher security-level assigned to it.  By default the Pix will not allow anything from a lower to a higher security-level interface but traffic can pass freely from a high to low security-level interface.

0
i_harfoushAuthor Commented:
so i have to open port 53 port from Dmz-------->lan , right qbakies?
0
qbakiesCommented:
That is correct sir.
0
i_harfoushAuthor Commented:
thanks in advance qbakes and i will not relay the e-mail on exchange from webserver, i think it is better
0
i_harfoushAuthor Commented:
qbakes I came to a company ,where 2 firewalls exists ,one sonicwall then Pix firewall, I asked the old system administrator that he was already hand over me the things before he leave ,why u implement to firewalls , he said more security! Do we need 2 firewalls for security?
thanks
0
qbakiesCommented:
It is completely dependent on your topology.
0
i_harfoushAuthor Commented:
I have simple network--------
citrix,exchange both are on internal lan
i will move webserver to dmz on different port on sonic wall and will read from the database server.
one wan connection and one lan connection with one dmz that i will create in future for webserver.
what do u think should I remove Pix.?
drawing1-1-.JPG
0
i_harfoushAuthor Commented:
pix firewall 515e and sonicwall TZ 170
sonic wall i can add one more dmz on different port.
0
i_harfoushAuthor Commented:
qbakes please comment on the below...

drawing-final.jpg
0
qbakiesCommented:
With the info from this drawing I don't see the need for two firewalls.  I would go with one and add more interfaces if necessary.
0
i_harfoushAuthor Commented:
actualy qbaks if i remove pix i canot control my users with content filer.....and i dont want to remove pix because it is a cisco product, my plan is to keep 3 public servers on pix,and keep my clients on sonicwall, Do u agree
0
qbakiesCommented:
If that is what you need for your network it is fine but why keep the sonicwall then?  You can do everything you want with the PIX if it has enough interfaces.
0
i_harfoushAuthor Commented:
pix doesnt have content filer and antisspyware and antivirus...address objects..so what go with this diagram?
0
qbakiesCommented:
If you need features on both then, yes, your diagram is fine.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
i_harfoushAuthor Commented:
ok
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Access

From novice to tech pro — start learning today.