Best practice to setup a DMZ? (hyperV and guests)

I've never set up a dmz to this day.. we just purchased a five pack of ips
from our one ISP (verizon)..

I want to get things setup so that i'm no longer just opening and closing
ports on the sonicwall email security firewall gateway, which is basically
how i've been doing things for a while..

IE:

Cloud---->ISP--->Sonicwall----->LAN

(side info): We now have two hyperv servers, each with around 10 vm's, all
residing on a single spindle of drives in each server, raid6, roughly 6-7
drives each, for better read speeds..

We run Exchange 2010 and i'm the process of redoing the ocs 2007 R2
installation, this time with an edge server (its my understanding that the
voice component and maybe web conferencing one? with ocs shouldnt be
virtualized, as well as the UM role with exchange 2010)..

So my goal here is to setup this edge server for OCS and setup exchange 2010
correctly dmz wise (not clear on how that would be yet.. maybe the CAS/HUB in
a vm which is dmz)...

Things i'm not clear on:
I'm not sure, with a server in the DMZ, like the OCS edge server, or even an
ftp service running on one, if those should be joined to the domain.. in the
case of the CAS/HUB for exchange, i would think it would have to be..

One suggestion i should have a hub or switch sitting in between the port
going to my HyperV server card (the one i'd dedicate as dmz) and the
sonicwall.. this doesnt make sense to me...

So how should my setup look, do i simply put those external ips on one nic
port of the hyperV server and one on the associated guest or guests (2 in the
case of two dmzs + the hyperv server host)?

Would the guest have two virtual nics.. one for the dmz external ip and the
other for the local LAN?

Wouldnt i have to setup a virtual network switch on the hyperv host as well?


I'm thinking the layout may look like this:

Cloud--->ISP--->ExtraPhysicalSwitch-------->A "DMZ" dedicated port on
hyperv(turn into virtual network switch)------>VMguest DMZ virtual port

^in the above setup, i'd have a lan cable coming out of the
ExtraPhysicalSwitch and going into my sonicwall firewall's 2nd or 3rd port

I think i'd have to setup a static route in the router as well?

Any thoughts on all this?

Thanks

"markm75g" <> wrote in message
news:BB3D89AF-D12E-4283-B2DB-...
> I've never set up a dmz to this day.. we just purchased a five pack of ips
> from our one ISP (verizon)..
>
> I want to get things setup so that i'm no longer just opening and closing
> ports on the sonicwall email security firewall gateway, which is basically
> how i've been doing things for a while..
>
> IE:
>
> Cloud---->ISP--->Sonicwall----->LAN
>
> (side info): We now have two hyperv servers, each with around 10 vm's,
> all
> residing on a single spindle of drives in each server, raid6, roughly 6-7
> drives each, for better read speeds..
>
> We run Exchange 2010 and i'm the process of redoing the ocs 2007 R2
> installation, this time with an edge server (its my understanding that the
> voice component and maybe web conferencing one? with ocs shouldnt be
> virtualized, as well as the UM role with exchange 2010)..
>
> So my goal here is to setup this edge server for OCS and setup exchange
> 2010
> correctly dmz wise (not clear on how that would be yet.. maybe the CAS/HUB
> in
> a vm which is dmz)...
>
> Things i'm not clear on:
> I'm not sure, with a server in the DMZ, like the OCS edge server, or even
> an
> ftp service running on one, if those should be joined to the domain.. in
> the
> case of the CAS/HUB for exchange, i would think it would have to be..
>
> One suggestion i should have a hub or switch sitting in between the port
> going to my HyperV server card (the one i'd dedicate as dmz) and the
> sonicwall.. this doesnt make sense to me...
>
> So how should my setup look, do i simply put those external ips on one nic
> port of the hyperV server and one on the associated guest or guests (2 in
> the
> case of two dmzs + the hyperv server host)?
>
> Would the guest have two virtual nics.. one for the dmz external ip and
> the
> other for the local LAN?
>
> Wouldnt i have to setup a virtual network switch on the hyperv host as
> well?
>
>
> I'm thinking the layout may look like this:
>
> Cloud--->ISP--->ExtraPhysicalSwitch-------->A "DMZ" dedicated port on
> hyperv(turn into virtual network switch)------>VMguest DMZ virtual port
>
> ^in the above setup, i'd have a lan cable coming out of the
> ExtraPhysicalSwitch and going into my sonicwall firewall's 2nd or 3rd port
>
> I think i'd have to setup a static route in the router as well?
>
> Any thoughts on all this?
>
> Thanks
>
>
If you want your DMZ servers to have direct access to the Internet you
would give them public IPs from the batch you purchased. If you want them
to have private IPs you would allocate the public IPs to your edge server
and map them to the machines on the private network.

It is possible to run a DMZ with virtual machines and virtual networks,
but in this case I would run your DMZ on physical hardware. What were you
planning to put in the DMZ? Just Exchange and the OCS server? Will you keep
the Sonicwall as your edge server?

A DMZ, by definition, is not really part of the public Internet or the
LAN. The most common setup is the back to back firewall model, where you
have one firewall between the Internet and the DMZ and another between the
DMZ and the LAN. You would need a second firewall between the DMZ and the
private LAN. Since your virtual machines run on different hosts, I would use
a hardware firewall or firewall software running on physical hardware for
this second firewall. The routing and network config would get complicated
trying to run this firewall in a vm.

To sum up, I would recommend that you essentially leave your Hyper-V
servers and their vms alone and build your DMZ between them and the
Internet.

Internet
|
firewall (Sonicwall?)
|
DMZ
|
new firewall
|
existing LAN.

I love playing with virtual machines and virtual networks, but my honest
opinion is that a DMZ on a physical network is the best solution in this
case.

I didnt realize i'd need another firewall.. ISA or forefront running on a
physical box? (or another router with a firewall, we do have an old router
handy)..

Or.. is this not the case, as our Sonicwall gateway has a port which can be
labelled "DMZ" layer2 bridge or passthrough.. so backpedalling starting from
my original thought, to the latest thoughts based on the passthrough.. i'm
unclear, if this has the passthrough, wouldnt it essentially segment the
network, not requiring a firewall ontop of the existing one..


IE: I'm guessing if i correctly configure the sonicwall port, transparent,
i can essentially passthrough the ISP public connection, avoiding having to
assign another public ip directly on the unit.. <br /> <br /> What i'm not
clear on is if this port is meant to come from the isp, via say a switch, so
the connection is split, one to regular wan port, the other to this dmz
port.. or.. if you are just supposed to plug your "DMZ" servers into this
gateway port, so they become part of the WAN/DMZ and then assign public ips
on the nics of the servers (that are in the dmz)?<br /> <br /> Here are two
layouts i originally thought might be the case:<br /> <br /> <br /> <img
src="http://pqu1oq.blu.livefilestore.com/y1pQSjhi-Uiiy3uklgqekZ9w_ll58M2c7a_OGLzRcZ5kUXF610LF-aqbmM11JOY9G8415upw97YtACczV2iZID1fB9W7j4lG1v7/Network
Topology with DMZ1.jpg" alt="" /> t;<br /> <br /> <br /> While here is one,
based on the new finding of this dmz (possibly a passthrough port):<br />
<img
src="http://pqu1oq.blu.livefilestore.com/y1pfmjYNuk35Abt7RWWbVUona1Yn9Ew7UHoWL2AfgvSH8jRoO-XXq9P9WSUT5sesmXNEQ7a2v35NhxqRpQVM4q3nU4-dGHmyRUs/Network
Topology with DMZ2 via passthrough.jpg" alt="" /> <br /> Or perhaps this is
the true nature of that X3 port, more of a passthrough to another switch or a
VLAN on the existing internal switch: <img
src="http://pqu1oq.blu.livefilestore.com/y1p7uJNcRDLfTXZpDc-rk3rEXU1YoZ4FbzuRdjXw1WA_wqHpI4nfKQjPiXbY7819ie7o8 RB9yl8leh_dVA5cqRwDmDNyhgTwX0X/Network
Topology with DMZ via passthrough planC.jpg" alt="" /> <br />

I should have also added:

Would C, be considered a 3 homed firewall described here
http://blogs.msdn.com/rds/archive/20...all-rules.aspx

I'm not clear on where they describe the 3 homed part if they are referring
to a server having 3 network cards or the firewall having 3 network ports
(like the Sonicwall).

"markm75g" <> wrote in message
news:30997720-2B80-414E-9BE6-...
> I should have also added:
>
> Would C, be considered a 3 homed firewall described here:
> http://blogs.msdn.com/rds/archive/20...all-rules.aspx
>
> I'm not clear on where they describe the 3 homed part if they are
> referring
> to a server having 3 network cards or the firewall having 3 network ports
> (like the Sonicwall).
>

Yes, those are the two most common scenarios. If you go for the 3 homed
option, both the LAN and the DMZ connect to the Sonicwall. The switch
hosting the DMZ machines would plug into the DMZ port of the Sonicwall an
the switch hosting the LAN machines stays where it is.

With a back to back firewall setup you ignore the DMZ switch on the
Sonicwall. The DMZ switch plugs in where your LAN currently connects, and
you have a second firewall (such as ISA/Forefront) between this and the
existing LAN.

"Bill Grant" wrote:

>
>
> "markm75g" <> wrote in message
> news:30997720-2B80-414E-9BE6-...
> > I should have also added:
> >
> > Would C, be considered a 3 homed firewall described here:
> > http://blogs.msdn.com/rds/archive/20...all-rules.aspx
> >
> > I'm not clear on where they describe the 3 homed part if they are
> > referring
> > to a server having 3 network cards or the firewall having 3 network ports
> > (like the Sonicwall).
> >
>
> Yes, those are the two most common scenarios. If you go for the 3 homed
> option, both the LAN and the DMZ connect to the Sonicwall. The switch
> hosting the DMZ machines would plug into the DMZ port of the Sonicwall an
> the switch hosting the LAN machines stays where it is.
>
> With a back to back firewall setup you ignore the DMZ switch on the
> Sonicwall. The DMZ switch plugs in where your LAN currently connects, and
> you have a second firewall (such as ISA/Forefront) between this and the
> existing LAN.


Awesome, i think i'm getting somewhere now .. thanks..

So in the 3 home situation.. i wouldnt need that 2ndary firewall, because
the sonicwall is sort of providing 2 firewalls in one basically?

I'm guessing that i'd use that transparent mode.. so i wouldnt actually
assign a public ip to the dmz port on the back of the sonicwall..

The public ips would go in the nic on the server in the dmz .. would that
dmz server or edge server, just have one nic, for the public ip.. say
70.22.110.3 etc?

I would imagine in certain edge situations, maybe owa or even an ocs edge
server, that traffic to the lan still needs to talk somehow.. does this mean
i'd need to setup a static route in the router to go from say 70.22.110.3 to
say 192.168.100.1 (gateway).. and consequently open up policies to allow
certain protocols to go through?

Thanks again

"markm75g" <> wrote in message
news:BB3D89AF-D12E-4283-B2DB-...
> I've never set up a dmz to this day.. we just purchased a five pack of ips
> from our one ISP (verizon)..
>
> I want to get things setup so that i'm no longer just opening and closing
> ports on the sonicwall email security firewall gateway, which is basically
> how i've been doing things for a while..

You public IP#s have nothing to do with a DMZ,.. and having or not having a
DMZ has no effect on how you use those IP#s.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"markm75g" <> wrote in message
news:8F119C5F-1C47-4EAA-8A75-...
> So in the 3 home situation.. i wouldnt need that 2ndary firewall, because
> the sonicwall is sort of providing 2 firewalls in one basically?

Kinda sorta, but not exactly. Actually I guess it would be "no". It would
be one Firewall protecting 2 networks.

> I'm guessing that i'd use that transparent mode.. so i wouldnt actually
> assign a public ip to the dmz port on the back of the sonicwall..

No you would not. The public IP#s would only "live" on the public side on
the "outdside" of the firewall. 90% of whatever you might do can most
likely be done with only 1 public IP#. We have 128 public IP#s,...I use
maybe 4 or 5.

> The public ips would go in the nic on the server in the dmz .. would that
> dmz server or edge server, just have one nic, for the public ip.. say
> 70.22.110.3 etc?

No the server would have Private IP#s. But it has to be a different subnet
than the regula LAN. So this is an RFC Private Set,...so just "makeup" a
new IP range to use for the Tri-Homed DMZ

> I would imagine in certain edge situations, maybe owa or even an ocs edge
> server, that traffic to the lan still needs to talk somehow.. does this
> mean
> i'd need to setup a static route in the router to go from say 70.22.110.3
> to
> say 192.168.100.1 (gateway).. and consequently open up policies to allow
> certain protocols to go through?

Policies ,..yes
Routes,...no.
All networks in this context are "directly connected" to the firewall,...so
it "knows" where all of them are.

In over 10 years I have never becomed convinced that I need a "DMZ" for
anything,...and I still don't use one,...and I run the IT systems at an NBC
affiliated TV New Station which is spewing with technology and "gadgets"
everywhere. But I will try to help others understand how to deploy one if
the insist that they want one. But I think most people don't need one, don't
understand why they would or wouldn't need one and have no idea how to deal
with the excess complexity created by one.
....Just my own opinion of course...


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Phillip Windell" wrote:

> "markm75g" <> wrote in message
> news:8F119C5F-1C47-4EAA-8A75-...
> > So in the 3 home situation.. i wouldnt need that 2ndary firewall, because
> > the sonicwall is sort of providing 2 firewalls in one basically?
>
> Kinda sorta, but not exactly. Actually I guess it would be "no". It would
> be one Firewall protecting 2 networks.
>
> > I'm guessing that i'd use that transparent mode.. so i wouldnt actually
> > assign a public ip to the dmz port on the back of the sonicwall..
>
> No you would not. The public IP#s would only "live" on the public side on
> the "outdside" of the firewall. 90% of whatever you might do can most
> likely be done with only 1 public IP#. We have 128 public IP#s,...I use
> maybe 4 or 5.
>
> > The public ips would go in the nic on the server in the dmz .. would that
> > dmz server or edge server, just have one nic, for the public ip.. say
> > 70.22.110.3 etc?
>
> No the server would have Private IP#s. But it has to be a different subnet
> than the regula LAN. So this is an RFC Private Set,...so just "makeup" a
> new IP range to use for the Tri-Homed DMZ
>
> > I would imagine in certain edge situations, maybe owa or even an ocs edge
> > server, that traffic to the lan still needs to talk somehow.. does this
> > mean
> > i'd need to setup a static route in the router to go from say 70.22.110.3
> > to
> > say 192.168.100.1 (gateway).. and consequently open up policies to allow
> > certain protocols to go through?
>
> Policies ,..yes
> Routes,...no.
> All networks in this context are "directly connected" to the firewall,...so
> it "knows" where all of them are.
>
> In over 10 years I have never becomed convinced that I need a "DMZ" for
> anything,...and I still don't use one,...and I run the IT systems at an NBC
> affiliated TV New Station which is spewing with technology and "gadgets"
> everywhere. But I will try to help others understand how to deploy one if
> the insist that they want one. But I think most people don't need one, don't
> understand why they would or wouldn't need one and have no idea how to deal
> with the excess complexity created by one.
> ....Just my own opinion of course...
>
>
> --
> Phillip Windell
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
> .
>

Still not clear why this is called TriHomed.. if the servers behind the
firewall, in the permiter dont have 3 network cards? Or is trihomed meaning,
public/ can connect to internal via policies/ something else..

So i would be essentially setting up policies to the server(s) behind the
dmz firewall, like i do now with our regular lan behind the firewall.. ie: we
only have two external ips.. i open up policies to allow certain ports open..
sounds as if i would do the same on the new dmz zone.

So if not a dmz/perimiter.. what is your recommendation? Just use nat
passthrough policies and only open up what is needed.. what about having that
extra layer of protection?

"markm75g" <> wrote in message
news:7632ACC4-825A-4AD6-9DE1-...
> Still not clear why this is called TriHomed.. if the servers behind the
> firewall, in the permiter dont have 3 network cards? Or is trihomed
> meaning,
> public/ can connect to internal via policies/ something else..

Tri-homed: One firewall-3 interfaces. One on the LAN behind the firewall,
one on the public side in front of the firewall, one "beside" the firewall
(the DMZ).

Back-to-Back DMZ: Two firewalls-2 interfaces in each. The DMZ is the
network "between" the two firewalls.

> So i would be essentially setting up policies to the server(s) behind the
> dmz firewall, like i do now with our regular lan behind the firewall.. ie:
> we
> only have two external ips.. i open up policies to allow certain ports
> open..
> sounds as if i would do the same on the new dmz zone.

Yes,..exactly.

> So if not a dmz/perimiter.. what is your recommendation? Just use nat
> passthrough policies and only open up what is needed.. what about having
> that
> extra layer of protection?

I'm not going to tell you to have or not have one. If you don't configure a
server correctly (securely) on the LAN and publish it to the Internet and
then get hacked, I don't want the blame. I'm just saying that I have no
problem doing that,...but I keep my stuff cleanly configured,...I "know what
I have" and I only publish what is specifically supposed to be available to
external users.

It is not NAT passthrough,...there is no such thing. There is a VPN
Passthrough but doesn't apply here. The process is called Static NAT or
Reverse NAT,...which may or may not have Port Address Translation running on
top of it. BTW - there is no such thing as Port Forwarding either (in case
you mention that next),...that is a "home-user" marketing term that someone
just "made up" and it got off its leash. I think Linksys is to blame for
that.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------