How to configure web server on DMZ to speak to internal SQL server on Domain


I am implementing a web-accessible solution that requires authentication and read/ write to an internal Domain SQL 2012 server. Both servers are VMs on ESXi 5.1U2, on the same VMWare Host. I created the Web App server with (2) NICs - One NIC using a DMZ IP and the other NIC using an internal domain IP. I have read this is called 'Dual Homing', but I may be incorrect.

I need to protect my internal servers from unauthorized access via the public facing web server on the DMZ, yet still have access from internal network to RDP to the DMZ web server as well as allow the web server to access the internal SQL server on the domain (using domain credentials of course).

Does anyone have experience with this? Is this the proper method for this purpose?

Thanks for your assistance.
LVL 14
Michael MachieIT SupervisorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
your internal network needs to open port 1433 from the web server to the sql server machine
port 88 tcp/udp for Kerberos from the web server to a domain controller.
Dan McFaddenSystems EngineerCommented:
As David mentioned, you need to open a set of specific ports to allow the web server to communicate with the "protected" servers/services.

*** I highly recommend to NOT use a dual homed web server ***

Reason being is that a dual homed web server is essentially a bridge between the DMZ and your internal network, bypassing any security devices (router/firewall) in between.  If this server were to be compromised, processing running on this server can potentially see both networks.  Making it a jump point for compromising your entire infrastructure.

You need to control traffic between the web server and db/dc via routing and firewalls.

Attached is an image of a way to deploy such a network.

There are 4 network ID'ed:
1. Outer Network : this is your forward facing external interface, the wild Internet.
2. DMZ Network : this is where your web servers live and the only destination for traffic from outside can go
3. pDMZ Network (protected DMZ) : only traffic sourcing from DMZ addresses can enter thru well defined ports (see David's post above)
4. LAN/Internal Network : highly protected network.  No Internet sourced traffic in, only when the session origin is the LAN Network.  

The way access would be allowed would be:
1. source = Internet (anonymous or *) TO destination = DMZ, 80/tcp & 443/tcp
2. source DMZ TO destination = pDMZ, 1433/tcp (SQL) & 88/udp/tcp (Kerberos), possibly 636/tcp (secure LDAP)
3. source = LAN TO destination *, ftp http(s), smtp, etc.

This, IMO, is the best way to implement or deploy.

The DC in the pDMZ could be an ADFS proxy and then the pDMZ DC would live on the LAN Network.  There are several variants of this design.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael MachieIT SupervisorAuthor Commented:
Both comments addressed the two different concerns/ questions I had.

@David: Thanks for providing the port info
@Dan: Thanks for confirming and expanding upon David's port info and also for providing the extra info on setting this up without dual-homing, which I was hesitant to use in the first place. I do not have a pDMZ and cannot set one up in this customer's environment.

Thanks guys!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.