Tom Carr
asked on
Webserver DMZ Setup on a SonicWALL NSA220
Hi all,
Long time reader first time posting.
I have been asked to setup a web server inside a DMZ that can communicate with an internal database server. We have one external IP address available with port 443 currently only being used for external access to the SonicWALL. The firewall is a SonicWALL NSA 220.
The web server will be a virtual Windows 2016 server sat on ESXi on it's own vSwitch connected to a spare port on the SonicWALL which I will configure as a DMZ port. I assuming I can configure a rule on the SonicWALL that will allow ports 443 and 80 to be forwarded to this web server and allow the web server to only communicate with the database server over 1433.
An external vendor will be configuring the application that will be running on the web server.
Does this sound like a workable solution?
Tom
Long time reader first time posting.
I have been asked to setup a web server inside a DMZ that can communicate with an internal database server. We have one external IP address available with port 443 currently only being used for external access to the SonicWALL. The firewall is a SonicWALL NSA 220.
The web server will be a virtual Windows 2016 server sat on ESXi on it's own vSwitch connected to a spare port on the SonicWALL which I will configure as a DMZ port. I assuming I can configure a rule on the SonicWALL that will allow ports 443 and 80 to be forwarded to this web server and allow the web server to only communicate with the database server over 1433.
An external vendor will be configuring the application that will be running on the web server.
Does this sound like a workable solution?
Tom
ASKER
I believe it will be used by about 20 people or so initially.
I will need to configure interface X3, do I set this to the DMZ zone then configure the above firewall rules?
I will need to configure interface X3, do I set this to the DMZ zone then configure the above firewall rules?
ASKER
Read this, let me know if you can't understand anything on it. this is for DMZ part.
https://www.sonicwall.com/en-us/support/knowledge-base/170503805301641
https://www.sonicwall.com/en-us/support/knowledge-base/170503805301641
ASKER
Hi,
Am I correct in thinking that for the solution mentioned in that article I would need more than one Public IP Address? I only have the one available.
Would it work if I set x3 into the DMZ Zone and gave it a static private IP address such as 192.168.40.1? I assume I can then create the mentioned firewall rules?
Am I correct in thinking that for the solution mentioned in that article I would need more than one Public IP Address? I only have the one available.
Would it work if I set x3 into the DMZ Zone and gave it a static private IP address such as 192.168.40.1? I assume I can then create the mentioned firewall rules?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi Tom,
Revers Proxy is good security option to protect web application server. you can keep revers proxy server [Apache revers proxy or IIS ARR] at DMZ and keep application server and Database server in LAN segment .
You can configure your gate way as 3 leg method one leg for WAN, One leg for DMZ and other for LAN with one public IP. if you have more than one web site you can forward HTTP port to revers proxy and you can configure routing rules at revers proxy to direct request to LAN application server according to host header. use custom port for firewall external access. best option is close Firewall external access and create access it through VPN. you can allow external vendor remote access is also through the VPN.
Revers Proxy is good security option to protect web application server. you can keep revers proxy server [Apache revers proxy or IIS ARR] at DMZ and keep application server and Database server in LAN segment .
You can configure your gate way as 3 leg method one leg for WAN, One leg for DMZ and other for LAN with one public IP. if you have more than one web site you can forward HTTP port to revers proxy and you can configure routing rules at revers proxy to direct request to LAN application server according to host header. use custom port for firewall external access. best option is close Firewall external access and create access it through VPN. you can allow external vendor remote access is also through the VPN.
if you put your web server IP as DMZ IP all external traffic will route to web server,
So best thing is forward only 80 and 443 to web server.
Create firewall rules as
80 amd 443 Forward to DMZ [web server]
Open 1433, DMZ[web server] to LAN [Database Server]