?
Solved

Network Design

Posted on 2010-09-12
10
Medium Priority
?
965 Views
Last Modified: 2012-05-10

Hello there,

i have an application server on which i have my application and users connect to this server via Remote desktop to use my application. the local and remote users connect via RDP. the remote users use a static IP and the local users use a local ip(static). the server is connected directly to the internet. now i want to add another server which will host the company's website. this server will also be directly connected to the internet. to increase the security of the servers i am planning to setup a firewall between the internet and the servers. i am plaaning to use ebox(also called zentyal). now my question is will it create issue for the remote and local users to connect to the application server.for e.g. the users will have to RDP the firewall and then again RDP the AS or no.please help me to understand the issues i will face and the solution to it.

cheers
zolf
0
Comment
Question by:zolf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 2

Expert Comment

by:VMthinker
ID: 33659953
Regarding to your question, if you could provide a network topology diagram it would help us understand bout your question more. For now I guess that you would have to worry more about the authentication server/part of your network more than the firewall. As RDP heavily utilizes an authentication server, you would have to make sure that your "ports" are properly configured to allow the necessary traffic both inbound and outbound within the LAN. Are you planning to place 1 or 2 firewalls? And I recommend Cisco products instead cause they are always easier to configure.

--------------------------------------

Please award helpful / correct if this post has helped

By: Another VMware newbie, VMthinker
0
 
LVL 3

Expert Comment

by:h4himanshu
ID: 33659964
Hi Zolf,

The local users won't have any issues as they will connect directly to the servers without any firewall in between. For the external users, you will need to setup port forwarding/NAT(Network Address Translation) on the Firewall to your internal servers so when a user sends request to RDP from outside your network, it will first hit the firewall and than forwarded to relevant server depending on the NAT. Hope this helps.

Regards.
0
 
LVL 10

Assisted Solution

by:ujitnos
ujitnos earned 200 total points
ID: 33660219
As you have mentioned that the internal and external users connect to an applcation on the server, its recommended to provide the external users access to only the application and not RDP. RDP will basically give full control of the server to the users, and from this server, it will be possible to navigate to the new webserver hosting company's website, locally.
If you access the application via a client installed on  laptop or destop, its recommended to allow specific ports to your application.
As mentioned above, other thing that u need to take care is the NAT. If you are doing your NAT-ing in your routers then, you will need to create rules in the firewall to allow specific port and destination. For the web server, allow only port 80 or 443 (https) from internet to the server.
If you are going to do the NAT on your firewall, you will need to create those NAT rules as well.
Local users will connect to the private IP of the application server, and internet users will use the public IP. All users will RDP to the server and not to the firewall.  I would personally reconmmend you to avoid RDP, if specific application based ports can be allowed for internal/external access.
0
Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

 

Author Comment

by:zolf
ID: 33660355

here is the diagram of my network and were i am planning to place the firewall
Kaizen-Network-2.jpg
0
 

Author Comment

by:zolf
ID: 33660400

VMthinker:

>>would have to make sure that your "ports" are properly configured to allow the necessary traffic
can you please tell me what ports i need to shut and open

>>Are you planning to place 1 or 2 firewalls?
1 firewall

>>And I recommend Cisco products instead cause they are always easier to configure.
can you suggest some

h4himanshu:
>>you will need to setup port forwarding/NAT(Network Address Translation) on the Firewall to
can you please refer to me some tutorial.i am not expert in this

ujitnos:
>>its recommended to provide the external users access to only the application and not RDP.
yes when they RDP only the application opens for them. i have taken care of this issue.

>>If you access the application via a client installed on  laptop or destop, its recommended to allow specific ports to your application.
how do i do this.can you please tell me

>>All users will RDP to the server and not to the firewall.
will this work,since the firewall is between the internet and the AS

>> I would personally reconmmend you to avoid RDP, if specific application based ports can be allowed for internal/external access.

till i switch my application to web based application,i am forced to let the company work with the RDP
0
 
LVL 2

Expert Comment

by:VMthinker
ID: 33660488
Well for more on the port numbers I suggest you read up on this http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers. Not only do you need to allow RDP ports but you would also need to allow normal ports like port 80 "http" and such for user access.

As for the firewall, may I suggest that you place 1 each for your servers and the one that you have planned? As your network model suggest that you may have multiple problems with only 1 firewall guarding the entire network.

If you are looking for a mid range enterprise version, may I suggest the Cisco ASA firewall series? I also suggest that you add some router devices to your network for more overall sturdy control.

I also find your network topology a bit flawed due to vast amount of switches involved. May I suggest using only 2 Cisco switches with a cisco router to perform router on stick and inter VLAN communication? This is to reduce the risk of your network device with security vulnerabilities.

0
 

Author Comment

by:zolf
ID: 33660517

VMthinker:

thanks for your comments.
can you please tell me in my network design were i need to place the switches and router and what switch model and firewall i should go for. please help me to redesign my network more professionally.
0
 
LVL 2

Accepted Solution

by:
VMthinker earned 1600 total points
ID: 33660607
I hope this helps. Try to put as little firewall as possible as it might slow down the traffic flow.
example.JPG
0
 
LVL 3

Assisted Solution

by:h4himanshu
h4himanshu earned 200 total points
ID: 33679111
Hi Zolf,

Please refer to this wikipedia entry for NAT http://en.wikipedia.org/wiki/Network_address_translation

The configuration depends on what kind of firewall (software/hardware) and product you are using. For Cisco routers which use IOS, you can follow this link http://articles.techrepublic.com.com/5100-10878_11-1039094.html

Regards
0
 

Author Closing Comment

by:zolf
ID: 33763521

thanks
0

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month8 days, 18 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question