should I place the webserver in DMZ or in LAN?

should I place the webserver in DMZ or in LAN? I open only the ports http and https to webserver and it is reading from internal database, and if I move it to DMZ because i open those ports, I have exchange 2003 and citrix in LAN and the http is opened , so why I have to move the webserver to DMZ
i_harfoushAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jakethecatukCommented:
It is best practice to place any public facing web site in the DMZ.  If the website get's compromised or hacked, you are minimising your exposure to problems.

If the webhost needs to talk to your LAN, then you can open up the necessary ports on your firewall to allow communication to take place.

However, sometimes this may not be practicle for the web application.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
i_harfoushAuthor Commented:
oka Mr jake ,
but I have webmail and citrix already in Lan and the ports are opened for http and it is no way to place it in DMZ, so i will have servers in lan and server in DMz but the Http port s opened for both
0
jakethecatukCommented:
well, if you HAVE published webmail and citrix, you should be using HTTPS not HTTP (as you state).

as CITRIX and WEBMAIL are used exclusively by your company, people do make the mistake of publishing them from the LAN and not the DMZ.  They make that mistake as they assume that as it's not the general public accessing the websites, that the sercurirty risk isn't as great.

you can publish port 80 (http) rules on your firewall to go to both the DMZ and LAN.  Your public IP address will map to either a DMZ address or LAN address.

the new website you are talking about, is it going to be for use by the general public or just your colleagues?  
0
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

i_harfoushAuthor Commented:
Sir
the website is published for public ,
Citrix I cant place it in DMZ since there are internal applications I publish it, and when I open citrix.xxx.com it is showing http not https,(so it requires Http)
webmail I got answer from microsoft not to place it in DMZ as it is not recommended and need a hell of ports to open to active directroy, but they said open https,
any advise Sir
0
jakethecatukCommented:
if you are deploying a website for use by the public, then you really should put it in the DMZ.

CITRIX should be secured by an SSL certificate as this will ensure that all data is encrypted (don't forget, this will include login information)!
0
i_harfoushAuthor Commented:
so D you mean remove the Http from firewall to lan of mail and citrix, and place the webserver in DMZ?
0
pete838344Commented:
As a general rule you do not want to put anything except the website in the DMZ.  Puttitng a a database or citrix in the DMZ is to invite trouble. To  be properly secure it has to be split up.
0
i_harfoushAuthor Commented:
the webserver is join to the domain, If I place it in DMZ, what port I should open from DMz--->internal lan except the sql port and DNS port?
0
up_grayed_outCommented:
How about setting up Port Address Translation to host public resource inside the LAN?
http://en.wikipedia.org/wiki/Port_address_translation
0
jakethecatukCommented:
Having a webserver as part of your domain can be done, but is not really a good idea.

Why do you need it to be part of your domain???
0
i_harfoushAuthor Commented:
so make it as part of work group?
0
jakethecatukCommented:
If you explain exactly what you are doing, why you want to have it in a domain, what sort of data you will be passing to/from the web server etc, it will make it easier for us to advise you on how to proceed.
0
i_harfoushAuthor Commented:
it is a normal Renting Agency, Webserver + Database server, I configure both in lan and join to the domain, can I have better Advise from you
0
jakethecatukCommented:
again, why do you want to add the webserver to the domain?  what do you need on the webserver that requires domain membership?

the normal way to do things would be to have the webserver as a workgroup and leave it in the DMZ.  You would then open a port in your firewall to allow communication with your SQL server.  It's not a good idea to use the default SQL port (1433) as this is too well known - moving it to port 1533 for example would help.

0
i_harfoushAuthor Commented:
what about Dns?
0
jakethecatukCommented:
what about DNS?
0
i_harfoushAuthor Commented:
10x
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.