Trying to wrap my head around DMZs

I'm trying to understand how DMZ work in a Windows environment ...

So I've got my LAN, no problems with that. Now I want to put a Windows web server into a DMZ.
I've configured a VLAN for the DMZ, that works. But I'm unsure about the necessary policies on my (Watchguard) firewall regulating the traffic between DMZ and LAN:

- I'd like to be able to access the web server from the LAN using Windows Explorer. Is that possible? If yes, how?
- does the web server need to be in the local AD in order to achieve this?
- can the web server in the DMZ use a serial number distributed by the KMS server on the LAN? Or how is this being handled? [update: I got that to work]
- what if the web server in the DMZ needs to execute a query on an MSSQL server on the LAN? Do I just open the port for SQL connections? I guess using a cache DB on another server in the DMZ would be better?
- how can I RDP from the LAN to the DMZ? RDP tells me the server does not exist although I have open the RDP port on the firewall ...

Thanks!
XeronimoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
OK so the DMZ is just a layer of protection.  Normally how these are setup is like you described.

You put your web server in the DMZ.  The web server is on a private address that is part of the DMZ.  Your firewall will provide a public IP address that it will use to NAT to the web server and it will have rules to allow traffic from the Internet to access the DMZ on ports 80 and 443.  
Then the firewall will have additional rules that will block everything from the DMZ trying to reach the inside with the exception of what devices the web server needs to talk to and their ports.  Normally we set a rule to allow a connection to the sql server on the inside.  

The idea is that the important data the we don't want hackers to access is on the inside - or the most protected part of your network.  

In addition you can add rules to the firewall to allow users from the inside to talk to the web server on the DMZ as well.

This is a method we call defense in depth.  First of all the web server is locked down so that it can only be accessed from the outside on ports 80 and 443.  So that means in order for them to exploit a vulnerability and gain access to the web server it would have to be done over those ports.  So keeping apache, nginx, or whatever updated is key here.

Now lets say the exploit a vulnerability and get access.  What can they reach from that server - other devices in the DMZ.  The only way for them to get to the inside is to exploit a vulnerability over the sql port to access the sql server.  Again, keeping your sql server up to date and patched is key.  

Never put data on the DMZ that you want to protect from the outside.  Always put a front end device up (i.e. web server) and let allow a hole for that web server to reach what it needs on the inside.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Blue Street TechLast KnightCommented:
Hi Xeronimo,

To add to what Ken has already said, I'd recommend putting your web server in the LAN and standing up a RPS (Reverse Proxy Server) in the DMZ running exclusively on port 443; use port 80 only to redirect to 443. You can do this with Microsoft IIS by using ARR (Application Request Routing) and the URL Rewrite Module.

This way the RPS takes all the requests. So, the RPS server then interfaces with the web server (behind the LAN) for the content, on behalf of the user/s, the user/s never get to web server font-end (presentation layer) or back-end (e.g. SQL), nor does any of their malicious tools, these all go through the RPS (man-in-the-middle). The same web pages are outputed, but the user never directly requests them but rather the RPS server does. When an adversary tries to specifically attack your web server to exploit a vulnerability, it would be thwarted because when the request goes to the RPS, it does not have the required apps, pages or know how to execute the command because it is not the web server, it only knows how to request content to the web server. Also, a properly setup NGFW (Next-Generation Firewall) that can perform DPI-SSL inspection (encrypted packet), like SonicWALL, will inspect the traffic and prevent things like SQL injection, web server exploits and the likes. Any malformed link or manipulated packet will be handled by the NGFW and not passed directly to the web server. Here is a diagram and all the benefits of this architecture: https://en.wikipedia.org/wiki/Reverse_proxy

Specific to IIS ARR see the benefits here: https://www.iis.net/downloads/microsoft/application-request-routing

So I've got my LAN, no problems with that. Now I want to put a Windows web server into a DMZ.
I've configured a VLAN for the DMZ, that works. But I'm unsure about the necessary policies on my (Watchguard) firewall regulating the traffic between DMZ and LAN:
Access Rules should be configured to block all traffic except 80 & 443 on WAN>DMZ. DMZ>LAN should block everything except what is needed to communicate to the webserver.

- I'd like to be able to access the web server from the LAN using Windows Explorer. Is that possible? If yes, how?
Yes if you configure it the way I designed the RPS...the webserver will already be in the LAN.
- does the web server need to be in the local AD in order to achieve this?
RPS should be orphaned (not domain joined), the web server would be joined as any other server within your network would be!
- can the web server in the DMZ use a serial number distributed by the KMS server on the LAN? Or how is this being handled? [update: I got that to work]
Again, my architecture would allow this to occur normally since the web server would already reside on the LAN.
- what if the web server in the DMZ needs to execute a query on an MSSQL server on the LAN? Do I just open the port for SQL connections? I guess using a cache DB on another server in the DMZ would be better?
Again, since they are all in the LAN this is not an issue.
- how can I RDP from the LAN to the DMZ? RDP tells me the server does not exist although I have open the RDP port on the firewall ...
I wouldn't RDP or enable it. Regardless if you use the web server or an RPS in the DMZ, I'd treat it almost as an untrusted server. If its virtual, I manage it an OOB management tool like TeamViever or LMI.

Let me know if you have any other questions!
XeronimoAuthor Commented:
BST: thanks for your answer. But would this also work with only one RPS even with several domain names and several web servers (on the LAN)? If yes, how?

And so I would keep all my web servers (Windows and Linux) on the LAN and only put that (Windows) RPS in a DMZ, correct?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

XeronimoAuthor Commented:
Ken: thanks for your answer as well! and why would you rather go the DMZ route than the RPS route that was suggested above? Thanks
Ken BooneNetwork ConsultantCommented:
Because I was giving you the most common setup that I see out there.  The RPS server is an excellent route, but most SMB shops don't have the expertise to do it is what I have found.  So they take a less complicated route and put the web server in the DMZ.
Blue Street TechLast KnightCommented:
But would this also work with only one RPS even with several domain names and several web servers (on the LAN)? If yes, how?
Yes, I believe I already explained how above in my text and the links.

And so I would keep all my web servers (Windows and Linux) on the LAN and only put that (Windows) RPS in a DMZ, correct?
yes, precisely.

I already addressed why you would use RPS over a simple web server in my first paragraph. Re-read what i wrote and the links and you will see the difference between the two concepts plainly!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.