Web Server IP configuration

My company is adding a web server to the network. We only have a watch guard firewall, file server, development web server and exchange server on our AD domain currently.  The new web server is a Dell PE R210ii Windows Server 2008 R2 Standard with two NICs. My question is where should I put the web server in the network? Should I give it two public IP's and remote into it or should one for public and one for private?  If I do put the second private IP do I put that server into a DMZ or VLAN? Our switch is not a L3 switch so that mean we would have to remote if it is on a VLAN. Our other web servers are off site and we just VPN into them. Any information to help me plan this out would be greatly appreciated. Thanks
Who is Participating?
ryan80Connect With a Mentor Commented:
what hecgomrec said is completely wrong and/or he is just not understanding. A DMZ is both separate from the public internet and the internal network. This is standard practice that everyone uses. I am not sure what he is talking about. His description seems similar to what I said to do, so maybe he just doesn't know the terminology.   You will use one subnet for your internal network and one subnet for your dmz network. The firewall sits in the middle of it all, acting as a firewall between the WAN and DMZ and LAN.

You will install your web server into your DMZ (you can connect both ports for redundancy/load balancing). The DMZ will use its own subnet with the firewall as the gateway.

For my DMZ i also use a seperate domain than the LAN domain, so the credentials and users are completely different. You could also leave the servers there off of the domain, but use your judgement in terms of how easily you can implement this.

Now on the firewall you will do a one to one mapping of the web server IP address to one of your public IP addresses. On most firewalls, by default traffic will be blocked from the WAN to a more secure network (with the DMZ being more secure and the LAN being the most secure). Make sure that this is the case, because you only want to open the ports that you need. In the firewall rules allow public ips to access the web server IP on the ports that you need (standard would be http 80 and http 443).

Now because you have a DMZ, you LAN subnet is then never reached directly from the WAN. You will need to open any ports if you need to between the web server and any resources inside. If you dont need to, that is the ideal solution. That means that even if you web server is compromised, it is still blocked by the firewall from reaching your LAN.

Using a DMZ is standard and recommended practice. many places use multiple levels of DMZs to separate access servers from data servers. We use this to keep our web servers separate from our sql servers which contain the actual data.
What you should do is create a DMZ if you do not already have one, and put the web server in the DMZ. it will have a private IP in the DMZ subnet. Then make a static nat mapping from the public ip to the server private IP on the firewall to publish http and https to the internet.

Adjust the firewall rules as needed for your requirements and services.
I will have to say that "ryan80" comments is very dangerous for a Web Server or any server.

By doing so, your server will be exposed to the "World" any one and I mean really any one can attack you server, DMZ does not offer any security at all, I will not recommend this for a server, a regular station/client...  maybe!.

To better answer your question, lets start with communications: I'm not sure about your bandwidth or traffic to this server so I will suggest to duplicate my suggestions accordingly, so based on what you provided I will team up the 2 NICs in one IP, add two more in case of failure, create a rule on the router/firewall to redirect the Private IP to the server's. Make sure your ISP had register your site properly in his DNS records.

Now, connecting to it/them, you mention VPN for off-site server, please clarify as I don't clearly understand how you have access to an off-site web server unless it is located on another branch.  By connecting, you mean access it for maintenance, administration, website development and maintenance, access to webpages/intranet or all of the above?.

When accessing servers with "external" names different to internals you should update your DNS server records to match and redirect your external settings to avoid confusing your clients/users.

Good Luck
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

E1V1SAuthor Commented:
So basically I want to leave the web servers and exchange on the local subnet and make 1:1 NAT translations for each public to private IPs? Isn't that less secure because if the server is compromissed the attacker now has access to the entire subnet?   I was under the impression that Ryan80 answer was the "norm". I was originally going to setup the DMZ in a two firewall system isolating the LAN from the DMZ however after reading Ryan80 comments it could be accomplish with one firewall.
The web server is going to used for eCommerce site with another front end for the client to connect to the SQL server to control the inventory, shipping, and ordering. Right now the SQL server is on the same box as the web server. I would think that wouldn't be a good idea now that I am thinking about it.
The web servers that we use now are hosted by another company and are their network. We use software VPN (PPTP), host -to host connecting to the server via RDC for maintenance, administration, website development, etc.
E1V1SAuthor Commented:
Thank you for your detailed response. I never thought about putting the DMZ in a different domain. I will be setting this up on the weekend. I will let you know how it goes.
Relating to having your web server and sql server on the same server, i would separate those roles if possible. personally I use two dmz zones, one with the web server front ends and the other with servers that contain the actual data, like sql. That way only the web is exposed to the public and it pulls data from the sql server. That way if the web server is compromised, it still only has access to the sql server over the sql protocol (since it is blocked by the firewall). That then limits the attack surface to only sql, and can be limited as to what kind of queries or stored procedures that can be run. So you actual data will be not be compromised even if the web server is.

In our case we have the data mirrored from our internal databases to the sql server in the second dmz. It depends on how the data will be manipulated, we make all changes internally and then the data that is displayed on the web site cannot be changed. Of course this all depends on your needs and the risk that you would be exposed to if your data was compromised.

I dont see an issue with using a remote VPN to manage the servers. That is what I would recommend. Using a VPN to connect and then managing from there is a secure way to accomplish this.
E1V1SAuthor Commented:
Are all your servers physical server or are some VMs? I only have three physical server and want to get the most out of them. Is there anyway to put VM in the dmz and not the physical server? I wouldn't think there would be because all packets would be going through the host nic in the long run.
With a vm host just add more physical nics connected to the dmz network and put them in a separate vswitch that is dedicated to the dmz. You could use the same nic and use vlans, but I would recommend different physical nics.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.