Sonicwall Setup

Currently, we have few frontend web servers + database server in the LAN. Frontend web servers need to contact database server for data access. NAT rule has been setup to map public IP to internal IP of the web servers.

Due to security reason, I am asked to moved all web servers to DMS zones.

1. Suppose original X0 is my internal network subnet and X1 is WAN link. Just I need to physically attach a switch to X2 and connect all web servers there ?

2. How should I say up the firewall rule,  should I configure
      WAN  -> DMZ     : Allow
      DMZ  -> Internal : Allow

3. How should I setup the NAT rule ?

For #2 & #3, is there any example to follow ?  Tks
AXISHKAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sajid Shaik MSystem AdminCommented:
WAN-DMZ : Allow  .  so here the traffic directly coming out side connect to DMZ servers only specific service objects and address objects,

Internal - DMZ : Allow here allow the specific internal network and specific ports with AD Directory services so the SQL authentications etc, will work with that.

additionally you can add  SSO (Single Sign On) so users can authenticate with their ad privileges if necessary"


you should create a rule... like
1.jpg
AXISHKAuthor Commented:
Should Internal - DMZ change to DMZ-Internal ?

For internal (trust) -> DMZ (untrust), does it already allow to go through ?

Is there any similar scenario that I can follow ?

Tks
Sajid Shaik MSystem AdminCommented:
there is only a DMZ, i believe the Internal is the LAN sub net ?

b
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

AXISHKAuthor Commented:
yes, same as the diagram
Oliver KaiserSystems EngineerCommented:
1. Suppose original X0 is my internal network subnet and X1 is WAN link. Just I need to physically attach a switch to X2 and connect all web servers there ?

It depends on your infrastructure. If you have a dedicated switch for DMZ services you would plug it into the firewall and let the firewall do the routing. If you use VLANs within your infrastructure you could use a tagged/trunk port to connect to the firewall. This way you would be able to have multiple networks connected to the firewall across a single (or bundled) link.

2. How should I say up the firewall rule,  should I configure
      WAN  -> DMZ     : Allow
      DMZ  -> Internal : Allow

The reason we build DMZs is to safeguard the internal network from systems that can be accessed from the WAN. For optimal security you should do the following:

Allow traffic from WAN to DMZ servers only on required ports (e.g. tcp/80, tcp/443 for webserver)
Allow traffic from DMZ to internal servers only on required ports (e.g. tcp/636, tcp/3306 for access from dmz webservers to internal ldap directories or database servers)

3. How should I setup the NAT rule ?
It depends... I imagine you only have one public ip which is assigned to your WAN facing interface.
Do port forwarding to your servers with the ports required, not more and not less.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sajid Shaik MSystem AdminCommented:
just follow the wizard dmz configuration and web publishing will be enough i believe.

all the best.
AXISHKAuthor Commented:
Tks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.