Web Server DMZ and SQL connection configuration.

I am setting up an environment where I have 2 servers. 1 Webserver that will be in the DMZ that requires SQL and HTTPS access to a SQL server that is located on the corp lan. I currently have the webserver on the domain and researched that this was a bad idea due to having to authenticate with an AD server. The forums I saw this on was in 09. Is this still the case or is there a better way to have a DMZ'd webserver with domain access? Does this look right or am I doing this the hard way?

DMZ gateway 10.10.10.1
WAN<>FIREWALL1(Webserver DMZ WAN 4.4.4.4)<>DMZ SWITCH<>Webserver (internal lan ip 10.10.10.10)
WAN<>FIREWALL1(WAN 6.6.6.6)<>LAN<>SQL server (192.168.1.10)

Firewall rules on FIREWALL1
Forward 443 to 10.10.10.10 from DMZ, Allow all
Forward 1433 to 10.10.10.10 from dmz, only allow 6.6.6.6
Block all other ports

Forward 443 and 1433 to 192.168.1.10 on 6.6.6.6
Allow 443 and 1433 only from WAN 4.4.4.4
Larry KiterlingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

naderzCommented:
The general rule is to NOT allow any traffic initiated from outside (or DMZ) to the inside. The web server should not need to be connected to AD. It should be a stand-alone server in the DMZ.

What you have described above is generally achieved by a three-layer dmz topology. You will have three firewalls: the web server sits between the outside firewall and the dmz firewall. A stand-alone sql server sits between the dmz firewall and inside firewall. The only allowed traffic from outside-in will be: WAN<->Web Server; Web Server <-> dmz sql server; dmz sql server <-> internal sql server.

If that is not doable due to cost or budget, then setup the web server as a stand-alone server in the dmz and allow only 443 connection between it and the sql server inside with the web server identifying itself to the sql server with an installed certificate.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.