Adi B
asked on
What is the best network set up on DMZ web servers for internal users?
Hi,
So our company has a web server which is placed in the DMZ for public users to access via internet. At the same time, this website is also accessed by our internal users. My interest is to protect our internal network, so I'm in a limbo as to how this setup should be configured.
I have two options which I thought of:
A - Give DMZ IP on the web server and internal users routed to DMZ zone when they visit the website. (One way route LAN->DMZ)
B - Give both DMZ and Internal IP (two separate NICs) but internal users use the internal IP and public uses the DMZ IP. However, I fear this might make our internal network vulnerable if the server is compromised.
What's the best practice here? I'm open to other suggestions as well.
Thanks!
So our company has a web server which is placed in the DMZ for public users to access via internet. At the same time, this website is also accessed by our internal users. My interest is to protect our internal network, so I'm in a limbo as to how this setup should be configured.
I have two options which I thought of:
A - Give DMZ IP on the web server and internal users routed to DMZ zone when they visit the website. (One way route LAN->DMZ)
B - Give both DMZ and Internal IP (two separate NICs) but internal users use the internal IP and public uses the DMZ IP. However, I fear this might make our internal network vulnerable if the server is compromised.
What's the best practice here? I'm open to other suggestions as well.
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just a postscript to the earlier comments, it's worth putting a pinpoint zone on your internal DNS for your website to reflect the DMZ address of the site. i.e. create a zone www.externaldomain.com with the A record of the parent pointing to the DMZ server's IP. This stops any issues with hairpining on the firewall where internal clients receive the external NATed address of the server and have to U turn on the firewall's external interface. This page gives an Exchange-centric guide, but the principle is the same... http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/using-pinpoint-dns-zones-exchange-2010.html
ASKER