DMZ Newbie

[iantaylor2100]

Hi, I am trying to create a DMZ for a web and mail server.
Before I do this I am trying to plan it and get to grips with it all.
I understand that the DMZ needs to work on a seperate ip range and that I should deny raffic originating from the DMZ to the internal LAN however this would mean that the servers couldn't log into he domain so how will users get their email??

Any tips and advice on setting up a DMZ is appreciated.

Thanks in advance
Ian

 

[Piloria]

you will have 3 nics with 3 IP address ranges
example
External - 193.195.123.123
DMZ - 192.168.1.0 / 255.255.255.0
Internal 192.168.10.0 255.255.255.0

you will create rules specificly for
dmz - External
external - dmz
lan - external
external - lan
dmz - lan
lan - dmz

email is usualy requested from the client pc so rules allowing traffic from lan - webserver only will alow the email to be sent as it is requested from the lan. without requiring a rule webserver - lan

 

[iantaylor2100]

Hi Piloria
Thanks for you message.

Few more questions.

1 - We would like our internal users to save reports to a share on the web server. From what I understand the web server cannot communicate with the domain so can this be done?

2 - We have a mail security server that send/receives all email. If I put this in the DMZ it would need to send the traffic to the mail server on the lan. Is this OK as I read that you should never allow traffic to originate from the DMZ to teh LAN?

3 - Can I put 2 NAT ip's to 1 server? This way I could put both webserver and email quaratine on one machine.

Thanks again for your help.

Ian Taylor

 

[Piloria]

1. only allowing return authentication ports (you will see which are required from the failures in the logs) from the server and allowing the required ports from tge lan should allow this.
i have never set it up so i am only guessing.

2. presumably you are only going to pass port 25 from the security server to the lan. unfortionatly this is the only way of getting the information to pass. i would use a specific rule
security server - mail server - smtp - allow - log
i would also set up an smtp resource and match incomining email to only allow to your email addresses (*@yourcompany.com)
note on action tab 2 there is a mail size limit (default 1Mb)

3. Just tried this and it didnt work
Most servers allow 2 ip addresses (even on one network card) so as far as the firewall is concerned they are seperate servers even if they are on the same physical box.


p.s. are you an ian taylor from scotland?

 

[iantaylor2100]

Thanks again for your reply I will try this out. espicially the email address rule.

Unfortunately no I am in Ipswich UK.

Thanks again.

 

[JockFrog]

Hi Ian,

If you still need help here let me know. Did you sort out how to log in to the domain?

Your DMZ addresses should not be the same as your LAN(s) subnet addresses.
Your internal LAN users will use your PROXY in the DMZ to pass out onto the net. They just need the address.
Just create a lmhost file similar to the lmhost.sample in WINNT that will point the servers to the domain controllers and therefore give you access with an domain account.

Hope that helps

 

[javatizer]

Hi,
I have almost a similar problem, I have my mail server CommuniGate behind a firewall that intercepts every incoming SMTP session, and act on behalf of the mail server, the FW MTA is SendMail, and its configured that if the mail is for local domain to forward it to the local mail server(s), if not it will send it outside to its destination.
All works fine for local users on the LAN, since the FW is treating LAN IP as trusted IPs, but the problem is when remote users try to send email, they cant, and enabling domain relay check and the reply to is not secure enough.
I have SMTP authentication enabled on CommuniGate and tested OK form inside the LAN, but when remote/mobile users try that they are actualy talking to the FW and not CommuniGate, which does not work.


Thanks in advance...
Javatizer