Link to home
Start Free TrialLog in
Avatar of Adi B
Adi BFlag for Brunei Darussalam

asked on

What is the best network set up on DMZ web servers for internal users?

Hi,

So our company has a web server which is placed in the DMZ for public users to access via internet. At the same time, this website is also accessed by our internal users. My interest is to protect our internal network, so I'm in a limbo as to how this setup should be configured.

I have two options which I thought of:

A - Give DMZ IP on the web server and internal users routed to DMZ zone when they visit the website. (One way route LAN->DMZ)
B - Give both DMZ and Internal IP (two separate NICs) but internal users use the internal IP and public uses the DMZ IP. However, I fear this might make our internal network vulnerable if the server is compromised.

What's the best practice here? I'm open to other suggestions as well.

Thanks!
ASKER CERTIFIED SOLUTION
Avatar of lruiz52
lruiz52
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Adi B

ASKER

Thanks! I know my question is rather close-ended. However appreciate if some insights can be added to the option picked (for educational purposes), or if there are any other angles to approach this situation.
Just a postscript to the earlier comments, it's worth putting a pinpoint zone on your internal DNS for your website to reflect the DMZ address of the site. i.e. create a zone www.externaldomain.com with the A record of the parent pointing to the DMZ server's IP. This stops any issues with hairpining on the firewall where internal clients receive the external NATed address of the server and have to U turn on the firewall's external interface. This page gives an Exchange-centric guide, but the principle is the same... http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/using-pinpoint-dns-zones-exchange-2010.html