Creating a DMZ on TMG 2010
Posted on 2012-03-26
We are planning to host an Ubunto BigBlueButton web-conferencing server on our network.
To make it more secure, I am planning to create a DMZ on TMG 2010 and place it in there before publishing it to the internet.
I have a virtualised TEST environment (Hyper-V) and have so far:
* added a new NIC (DMZ)
* using the wizard, created a three leg perimeter network
* gave the DMZ a new subnet address
* added a new access rule to allow DNS, NTP and other protocols to pass between the
DMZ and internal network > I chose to route traffice between the two networks
* added a web-server to the DMZ
* connected the physical Internal NIC and the DMZ NIC to a small switch (I will create a
virtual connection later)
Here is some IP address information:
Internal network (LAN):192.168.51.0
Web-server inside the DMZ: 192.168.52.1 (DNS: 192.168.51.1)
1) The web-server is now completely isolated; it cannot access the internet or even ping the DMZ NIC (192.168.52.254) - what other rules do I need to setup for the DMZ so that the web-server is accessible from both the internal network and the internet?
2) As I understand it the access rule shouldn't be bi-directional; only the internal network should have (full ?) access to the web-server. However, aren't TMG rules bi-directional?
3) Should traffice between the DMZ and internal networks be routed or NAT'd?
4) Should I point the wen-servers IP address to a public IP address or keep the private DMZ IP address (192.168.52.1)?
5) What should the gateway be on the web-server? I have pointed it to the address of the TMG server (192.168.51.254).