Xeronimo
asked on
Trying to wrap my head around DMZs
I'm trying to understand how DMZ work in a Windows environment ...
So I've got my LAN, no problems with that. Now I want to put a Windows web server into a DMZ.
I've configured a VLAN for the DMZ, that works. But I'm unsure about the necessary policies on my (Watchguard) firewall regulating the traffic between DMZ and LAN:
- I'd like to be able to access the web server from the LAN using Windows Explorer. Is that possible? If yes, how?
- does the web server need to be in the local AD in order to achieve this?
- can the web server in the DMZ use a serial number distributed by the KMS server on the LAN? Or how is this being handled? [update: I got that to work]
- what if the web server in the DMZ needs to execute a query on an MSSQL server on the LAN? Do I just open the port for SQL connections? I guess using a cache DB on another server in the DMZ would be better?
- how can I RDP from the LAN to the DMZ? RDP tells me the server does not exist although I have open the RDP port on the firewall ...
Thanks!
So I've got my LAN, no problems with that. Now I want to put a Windows web server into a DMZ.
I've configured a VLAN for the DMZ, that works. But I'm unsure about the necessary policies on my (Watchguard) firewall regulating the traffic between DMZ and LAN:
- I'd like to be able to access the web server from the LAN using Windows Explorer. Is that possible? If yes, how?
- does the web server need to be in the local AD in order to achieve this?
- can the web server in the DMZ use a serial number distributed by the KMS server on the LAN? Or how is this being handled? [update: I got that to work]
- what if the web server in the DMZ needs to execute a query on an MSSQL server on the LAN? Do I just open the port for SQL connections? I guess using a cache DB on another server in the DMZ would be better?
- how can I RDP from the LAN to the DMZ? RDP tells me the server does not exist although I have open the RDP port on the firewall ...
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ken: thanks for your answer as well! and why would you rather go the DMZ route than the RPS route that was suggested above? Thanks
Because I was giving you the most common setup that I see out there. The RPS server is an excellent route, but most SMB shops don't have the expertise to do it is what I have found. So they take a less complicated route and put the web server in the DMZ.
But would this also work with only one RPS even with several domain names and several web servers (on the LAN)? If yes, how?Yes, I believe I already explained how above in my text and the links.
And so I would keep all my web servers (Windows and Linux) on the LAN and only put that (Windows) RPS in a DMZ, correct?yes, precisely.
I already addressed why you would use RPS over a simple web server in my first paragraph. Re-read what i wrote and the links and you will see the difference between the two concepts plainly!
ASKER
And so I would keep all my web servers (Windows and Linux) on the LAN and only put that (Windows) RPS in a DMZ, correct?