Link to home
Start Free TrialLog in
Avatar of Tom Carr
Tom CarrFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Webserver DMZ Setup on a SonicWALL NSA220

Hi all,

Long time reader first time posting.

I have been asked to setup a web server inside a DMZ that can communicate with an internal database server. We have one external IP address available with port 443 currently only being used for external access to the SonicWALL. The firewall is a SonicWALL NSA 220.

The web server will be a virtual Windows 2016 server sat on ESXi on it's own vSwitch connected to a spare port on the SonicWALL which I will configure as a DMZ port. I assuming I can configure a rule on the SonicWALL that will allow ports 443 and 80 to be forwarded to this web server and allow the web server to only communicate with the database server over 1433.

An external vendor will be configuring the application that will be running on the web server.

Does this sound like a workable solution?

Tom
Avatar of Pushpakumara Mahagamage
Pushpakumara Mahagamage
Flag of Sri Lanka image

Technically possible. How many users you have for your application.
if you put your web server IP as DMZ IP all external traffic will route to web server,
So best thing is forward only 80 and 443 to web server.

Create firewall rules as

80 amd 443 Forward to DMZ [web server]
Open 1433, DMZ[web server]  to LAN [Database Server]
Avatar of Tom Carr

ASKER

I believe it will be used by about 20 people or so initially.

I will need to configure interface X3, do I set this to the DMZ zone then configure the above firewall rules?
It's these options I'm not too sure about at the moment.

I imagine I set the Zone to be DMZ but I'm not sure which setting to use for Mode / IP Assignment.

User generated image
I'm quite new to SonicWALL and firewalls in general.
Read this, let me know if you can't understand anything on it.  this is for DMZ part.

https://www.sonicwall.com/en-us/support/knowledge-base/170503805301641
Hi,

Am I correct in thinking that for the solution mentioned in that article I would need more than one Public IP Address? I only have the one available.

Would it work if I set x3 into the DMZ Zone and gave it a static private IP address such as 192.168.40.1? I assume I can then create the mentioned firewall rules?
ASKER CERTIFIED SOLUTION
Avatar of Blue Street Tech
Blue Street Tech
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi Tom,

Revers Proxy is good security option to protect web application server. you can keep revers proxy server [Apache revers proxy or IIS ARR] at DMZ and keep application server and Database server in LAN segment .
You can configure your gate way as 3 leg method one leg for WAN, One leg for DMZ and other for LAN with one public IP. if you have more than one web site you can forward HTTP port to revers proxy and you can configure routing  rules at revers proxy to direct request to LAN application server according to host header.    use custom port for firewall external access.  best option is close Firewall external access and create access it through VPN.  you can allow external vendor remote access is also through the VPN.