Webserver DMZ Setup on a SonicWALL NSA220

Hi all,

Long time reader first time posting.

I have been asked to setup a web server inside a DMZ that can communicate with an internal database server. We have one external IP address available with port 443 currently only being used for external access to the SonicWALL. The firewall is a SonicWALL NSA 220.

The web server will be a virtual Windows 2016 server sat on ESXi on it's own vSwitch connected to a spare port on the SonicWALL which I will configure as a DMZ port. I assuming I can configure a rule on the SonicWALL that will allow ports 443 and 80 to be forwarded to this web server and allow the web server to only communicate with the database server over 1433.

An external vendor will be configuring the application that will be running on the web server.

Does this sound like a workable solution?

Tom CarrClient Satisfaction SpecialistAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pushpakumara MahagamageVPCommented:
Technically possible. How many users you have for your application.
if you put your web server IP as DMZ IP all external traffic will route to web server,
So best thing is forward only 80 and 443 to web server.

Create firewall rules as

80 amd 443 Forward to DMZ [web server]
Open 1433, DMZ[web server]  to LAN [Database Server]
Tom CarrClient Satisfaction SpecialistAuthor Commented:
I believe it will be used by about 20 people or so initially.

I will need to configure interface X3, do I set this to the DMZ zone then configure the above firewall rules?
Tom CarrClient Satisfaction SpecialistAuthor Commented:
It's these options I'm not too sure about at the moment.

I imagine I set the Zone to be DMZ but I'm not sure which setting to use for Mode / IP Assignment.

SonicWALL X3 Interface Settings
I'm quite new to SonicWALL and firewalls in general.
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Pushpakumara MahagamageVPCommented:
Read this, let me know if you can't understand anything on it.  this is for DMZ part.

Tom CarrClient Satisfaction SpecialistAuthor Commented:

Am I correct in thinking that for the solution mentioned in that article I would need more than one Public IP Address? I only have the one available.

Would it work if I set x3 into the DMZ Zone and gave it a static private IP address such as I assume I can then create the mentioned firewall rules?
Blue Street TechLast KnightCommented:
Hi Tom,

Welcome! Glad to see your first post!

From an architecture standpoint, I'd recommend putting an RPS (Reverse Proxy Server) in the DMZ and your web server and dB in the LAN. This way an adversary will only see the RPS server and if they compromise it they won't get any data and you can simple wipe it and spin up a new VM to take its place. This is a Security Best Practice for application/web server architecture.

Regarding the article you don't need to create a PortShielded Interface in Transparent Mode unless that is a requirement. Simply creating a DMZ zone is easy to do. Go to Network > Interfaces, select an unassigned Interface (e.g. X3, X4, etc.) you want to make the DMZ and click on the configure icon. Next to Zone selected DMZ, Static IP Mode is fine, create the subnet 10.xx.x & Subnet Mask, etc., then click OK. You just setup the DMZ. Now you can get very granular with your Access Rules for DMZ > LAN and LAN > DMZ on what IPs/servers can talk to each other on what ports.

Regarding, your Public IP question, ideally I like to group services under separate IPs but really the answer comes down to a question of if you have conflicting services requiring the same ports. If you have multiple services needing 443, you'll need another IP and if getting another IP is prohibitive due to cost, etc then change the SonicWALL remote management port (Systems > Administration > Web Management Settings) from 443 to 4444 or something else non-conflicting.

In terms of your port forwarding question, the best, most comprehensive way to do this is by using the Wizard at the top right. It will guide you through all the necessary steps and automatically create all the necessary items to successfully forward traffic including, NAT Policies, Access Rules, Service and Address Objects.

Let me know if you have any other questions!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pushpakumara MahagamageVPCommented:
Hi Tom,

Revers Proxy is good security option to protect web application server. you can keep revers proxy server [Apache revers proxy or IIS ARR] at DMZ and keep application server and Database server in LAN segment .
You can configure your gate way as 3 leg method one leg for WAN, One leg for DMZ and other for LAN with one public IP. if you have more than one web site you can forward HTTP port to revers proxy and you can configure routing  rules at revers proxy to direct request to LAN application server according to host header.    use custom port for firewall external access.  best option is close Firewall external access and create access it through VPN.  you can allow external vendor remote access is also through the VPN.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.