?
Solved

access rules for webserver

Posted on 2010-03-26
24
Medium Priority
?
800 Views
Last Modified: 2013-11-29
I have webserver member of domain , i will move it to Dmz,but it is  reading from database sql server.
i will give access rule wan-------->webserver(http,https_)---dmz
                                    Dmz(webserver)-------->lan(sql port,Dns)
                                    lan-------------->dmz(sql port)
is that true?
also my IIS in my webserver is not send e-mails to my internal client,why,?
also I configure the IIS to use (exchange -smart)
0
Comment
Question by:i_harfoush
  • 14
  • 9
24 Comments
 
LVL 5

Expert Comment

by:mindwise
ID: 28711340
Hi I Harfoush,

Your rulebase seems alright, i doubt you need to open sql from lan to dmz though.
For iis to send mail to internal, i think you need to open at least port 25 (smtp) from dmz to lan.

with 'smart' you mean you set up iis to be a smarthost for exchange i guess ??
(since making a lan device (exchange i guess!!) a smarthost for a device in the DMZ sounds nasty....
Try http://www.petri.co.il/configure_iis_to_be_a_smart_host_for_exchange.htm for details on that.

Have fun,
0
 

Author Comment

by:i_harfoush
ID: 28711624
you know boss, I did all of these , the e-mail stuck in the categorizer of exchange also i tried to put webserver in lan,still the emails stuck in categorizer why i dunno?any solution
0
 
LVL 10

Expert Comment

by:qbakies
ID: 28711943
My webservers in the DMZ all require email and SQL access to the inside so we are very similar in setup.  You will just need to open 1433 from DMZ to LAN, nothing from LAN to DMZ since it has a higher base security-level.  For email I setup IIS SMTP virtual server to avoid having to pass mail to the LAN.  The fewer holes you need to punch in the firewall the more secure it will be.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:i_harfoush
ID: 28712341
mm qbakies, in the Relay setting in exchange 2003, i have to enter the real ip address of my webserver,or internal ip , or what exactly??
0
 

Author Comment

by:i_harfoush
ID: 28712697
and one more question the Dns of ur webserver, is the dns for ur Isp or ur internal dns-domain controller
0
 
LVL 10

Expert Comment

by:qbakies
ID: 28713016
"mm qbakies, in the Relay setting in exchange 2003, i have to enter the real ip address of my webserver,or internal ip , or what exactly??"

Like I said, I use IIS to send my emails from the webserver so I don't pass email to the exchange server; but if you are trying to allow relaying you need to enter the IP of the webserver itself, not the web site running on the webserver.

-----------------------

"and one more question the Dns of ur webserver, is the dns for ur Isp or ur internal dns-domain controller"

I use my internal DNS server so I don't have to adjust the host files.
0
 

Author Comment

by:i_harfoush
ID: 28713269
you need to open a port for Dns or no need>?
0
 
LVL 10

Expert Comment

by:qbakies
ID: 28713740
I have tcp and udp open to my DNS server on port 53.
0
 

Author Comment

by:i_harfoush
ID: 28713898
open 53  port on both directions?
0
 
LVL 10

Expert Comment

by:qbakies
ID: 28714082
You never need to open from LAN -> DMZ because the LAN interface should have a higher security-level assigned to it.  By default the Pix will not allow anything from a lower to a higher security-level interface but traffic can pass freely from a high to low security-level interface.

0
 

Author Comment

by:i_harfoush
ID: 28714230
so i have to open port 53 port from Dmz-------->lan , right qbakies?
0
 
LVL 10

Expert Comment

by:qbakies
ID: 28714278
That is correct sir.
0
 

Author Comment

by:i_harfoush
ID: 28714419
thanks in advance qbakes and i will not relay the e-mail on exchange from webserver, i think it is better
0
 

Author Comment

by:i_harfoush
ID: 28716694
qbakes I came to a company ,where 2 firewalls exists ,one sonicwall then Pix firewall, I asked the old system administrator that he was already hand over me the things before he leave ,why u implement to firewalls , he said more security! Do we need 2 firewalls for security?
thanks
0
 
LVL 10

Expert Comment

by:qbakies
ID: 28716788
It is completely dependent on your topology.
0
 

Author Comment

by:i_harfoush
ID: 28717137
I have simple network--------
citrix,exchange both are on internal lan
i will move webserver to dmz on different port on sonic wall and will read from the database server.
one wan connection and one lan connection with one dmz that i will create in future for webserver.
what do u think should I remove Pix.?
drawing1-1-.JPG
0
 

Author Comment

by:i_harfoush
ID: 28717876
pix firewall 515e and sonicwall TZ 170
sonic wall i can add one more dmz on different port.
0
 

Author Comment

by:i_harfoush
ID: 28944775
qbakes please comment on the below...

drawing-final.jpg
0
 
LVL 10

Expert Comment

by:qbakies
ID: 28974172
With the info from this drawing I don't see the need for two firewalls.  I would go with one and add more interfaces if necessary.
0
 

Author Comment

by:i_harfoush
ID: 28974588
actualy qbaks if i remove pix i canot control my users with content filer.....and i dont want to remove pix because it is a cisco product, my plan is to keep 3 public servers on pix,and keep my clients on sonicwall, Do u agree
0
 
LVL 10

Expert Comment

by:qbakies
ID: 28974833
If that is what you need for your network it is fine but why keep the sonicwall then?  You can do everything you want with the PIX if it has enough interfaces.
0
 

Author Comment

by:i_harfoush
ID: 28975050
pix doesnt have content filer and antisspyware and antivirus...address objects..so what go with this diagram?
0
 
LVL 10

Accepted Solution

by:
qbakies earned 2000 total points
ID: 28975203
If you need features on both then, yes, your diagram is fine.
0
 

Author Closing Comment

by:i_harfoush
ID: 31707692
ok
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Access has a limit of 255 columns in a single table; SQL Server allows tables with over 255 columns, but reading that data is not necessarily simple.  The final solution for this task involved creating a custom text parser and then reading…
A Case Study of using the Windows API to provide RS232 communications capability in Access without the use of Active-X controls.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
Suggested Courses

592 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question