Sonicwall Setup

Currently, we have few frontend web servers + database server in the LAN. Frontend web servers need to contact database server for data access. NAT rule has been setup to map public IP to internal IP of the web servers.

Due to security reason, I am asked to moved all web servers to DMS zones.

1. Suppose original X0 is my internal network subnet and X1 is WAN link. Just I need to physically attach a switch to X2 and connect all web servers there ?

2. How should I say up the firewall rule,  should I configure
      WAN  -> DMZ     : Allow
      DMZ  -> Internal : Allow

3. How should I setup the NAT rule ?

For #2 & #3, is there any example to follow ?  Tks
AXISHKAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sajid Shaik MSr. System AdminCommented:
WAN-DMZ : Allow  .  so here the traffic directly coming out side connect to DMZ servers only specific service objects and address objects,

Internal - DMZ : Allow here allow the specific internal network and specific ports with AD Directory services so the SQL authentications etc, will work with that.

additionally you can add  SSO (Single Sign On) so users can authenticate with their ad privileges if necessary"


you should create a rule... like
1.jpg
0
AXISHKAuthor Commented:
Should Internal - DMZ change to DMZ-Internal ?

For internal (trust) -> DMZ (untrust), does it already allow to go through ?

Is there any similar scenario that I can follow ?

Tks
0
Sajid Shaik MSr. System AdminCommented:
there is only a DMZ, i believe the Internal is the LAN sub net ?

b
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

AXISHKAuthor Commented:
yes, same as the diagram
0
Oliver KaiserSystems EngineerCommented:
1. Suppose original X0 is my internal network subnet and X1 is WAN link. Just I need to physically attach a switch to X2 and connect all web servers there ?

It depends on your infrastructure. If you have a dedicated switch for DMZ services you would plug it into the firewall and let the firewall do the routing. If you use VLANs within your infrastructure you could use a tagged/trunk port to connect to the firewall. This way you would be able to have multiple networks connected to the firewall across a single (or bundled) link.

2. How should I say up the firewall rule,  should I configure
      WAN  -> DMZ     : Allow
      DMZ  -> Internal : Allow

The reason we build DMZs is to safeguard the internal network from systems that can be accessed from the WAN. For optimal security you should do the following:

Allow traffic from WAN to DMZ servers only on required ports (e.g. tcp/80, tcp/443 for webserver)
Allow traffic from DMZ to internal servers only on required ports (e.g. tcp/636, tcp/3306 for access from dmz webservers to internal ldap directories or database servers)

3. How should I setup the NAT rule ?
It depends... I imagine you only have one public ip which is assigned to your WAN facing interface.
Do port forwarding to your servers with the ports required, not more and not less.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sajid Shaik MSr. System AdminCommented:
just follow the wizard dmz configuration and web publishing will be enough i believe.

all the best.
0
AXISHKAuthor Commented:
Tks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.