outgoing licensing validation should be in DMZ or internal/backend zone? What mitigations if none

We have a internal zone server holding financial data.

Users would like to load ACL (Audit Command Language) into it to analyse the data but ACL
requires periodic (think can be daily) connection to Internet (& possibly incoming ports but
I'm not certain about incoming) for license validation.

Q1:
For a server that goes out to Internet, shouldn't it be placed in DMZ rather than internal zone?

Q2:
Or it does not matter for outgoing;  it's more for incoming connections (eg: web server) that
needs to be placed in DMZ?

Q3:
If we don't move the server to DMZ, what are the mitigations we can consider?
Let this server connect to a proxy to go out to Internet?
Use firewall to permit it to a specific destination IP for license validation only?
If the ACL component can't go by proxy, but it requires a non Tcp80/non Tcp443,
is this considered safe to permit (without going thru proxy)?

Q4:
If an internal zone server (Prod) goes out via proxy on Tcp80/443, isn't this
akin to a sysadmin being allowed to browse Internet from an internal server
which is risky?
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Aaron TomoskyDirector of Solutions ConsultingCommented:
A dmz is just an old word for a firewalled vlan, so if you want a firewall in between your financial server and a server that talks to the internet, then yes, do that. Something like VMware NSX offers microsegmentation, basically giving every single VM a firewall. This is the future.
sunhuxAuthor Commented:
Thanks Aaron.
We are not opting for VM as that dept has no budget for it.
So you agree that such a license server should be seated in DMZ ?
So if it sits in internal zone going thru proxy to do license validation, it's not recommended (ie a risk)?
Aaron TomoskyDirector of Solutions ConsultingCommented:
Both a proxy and a dmz are risks. The dmz is a lower risk since it has a firewall between the new server and the license server, but requires more management. You have to decide based on your organizational policies which level of risk is appropriate.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.