Best practice to setup a DMZ? (hyperV and guests)

Discussion in 'Server Networking' started by markm75g, Jan 30, 2010.

  1. markm75g

    markm75g Guest

    I've never set up a dmz to this day.. we just purchased a five pack of ips
    from our one ISP (verizon)..

    I want to get things setup so that i'm no longer just opening and closing
    ports on the sonicwall email security firewall gateway, which is basically
    how i've been doing things for a while..

    IE:

    Cloud---->ISP--->Sonicwall----->LAN

    (side info): We now have two hyperv servers, each with around 10 vm's, all
    residing on a single spindle of drives in each server, raid6, roughly 6-7
    drives each, for better read speeds..

    We run Exchange 2010 and i'm the process of redoing the ocs 2007 R2
    installation, this time with an edge server (its my understanding that the
    voice component and maybe web conferencing one? with ocs shouldnt be
    virtualized, as well as the UM role with exchange 2010)..

    So my goal here is to setup this edge server for OCS and setup exchange 2010
    correctly dmz wise (not clear on how that would be yet.. maybe the CAS/HUB in
    a vm which is dmz)...

    Things i'm not clear on:
    I'm not sure, with a server in the DMZ, like the OCS edge server, or even an
    ftp service running on one, if those should be joined to the domain.. in the
    case of the CAS/HUB for exchange, i would think it would have to be..

    One suggestion i should have a hub or switch sitting in between the port
    going to my HyperV server card (the one i'd dedicate as dmz) and the
    sonicwall.. this doesnt make sense to me...

    So how should my setup look, do i simply put those external ips on one nic
    port of the hyperV server and one on the associated guest or guests (2 in the
    case of two dmzs + the hyperv server host)?

    Would the guest have two virtual nics.. one for the dmz external ip and the
    other for the local LAN?

    Wouldnt i have to setup a virtual network switch on the hyperv host as well?


    I'm thinking the layout may look like this:

    Cloud--->ISP--->ExtraPhysicalSwitch-------->A "DMZ" dedicated port on
    hyperv(turn into virtual network switch)------>VMguest DMZ virtual port

    ^in the above setup, i'd have a lan cable coming out of the
    ExtraPhysicalSwitch and going into my sonicwall firewall's 2nd or 3rd port

    I think i'd have to setup a static route in the router as well?

    Any thoughts on all this?

    Thanks
     
    markm75g, Jan 30, 2010
    #1
    1. Advertisements

  2. markm75g

    Bill Grant Guest

    If you want your DMZ servers to have direct access to the Internet you
    would give them public IPs from the batch you purchased. If you want them
    to have private IPs you would allocate the public IPs to your edge server
    and map them to the machines on the private network.

    It is possible to run a DMZ with virtual machines and virtual networks,
    but in this case I would run your DMZ on physical hardware. What were you
    planning to put in the DMZ? Just Exchange and the OCS server? Will you keep
    the Sonicwall as your edge server?

    A DMZ, by definition, is not really part of the public Internet or the
    LAN. The most common setup is the back to back firewall model, where you
    have one firewall between the Internet and the DMZ and another between the
    DMZ and the LAN. You would need a second firewall between the DMZ and the
    private LAN. Since your virtual machines run on different hosts, I would use
    a hardware firewall or firewall software running on physical hardware for
    this second firewall. The routing and network config would get complicated
    trying to run this firewall in a vm.

    To sum up, I would recommend that you essentially leave your Hyper-V
    servers and their vms alone and build your DMZ between them and the
    Internet.

    Internet
    |
    firewall (Sonicwall?)
    |
    DMZ
    |
    new firewall
    |
    existing LAN.

    I love playing with virtual machines and virtual networks, but my honest
    opinion is that a DMZ on a physical network is the best solution in this
    case.
     
    Bill Grant, Jan 31, 2010
    #2
    1. Advertisements

  3. markm75g

    markm75g Guest

    I didnt realize i'd need another firewall.. ISA or forefront running on a
    physical box? (or another router with a firewall, we do have an old router
    handy)..

    Or.. is this not the case, as our Sonicwall gateway has a port which can be
    labelled "DMZ" layer2 bridge or passthrough.. so backpedalling starting from
    my original thought, to the latest thoughts based on the passthrough.. i'm
    unclear, if this has the passthrough, wouldnt it essentially segment the
    network, not requiring a firewall ontop of the existing one..


    IE: I'm guessing if i correctly configure the sonicwall port, transparent,
    i can essentially passthrough the ISP public connection, avoiding having to
    assign another public ip directly on the unit.. <br /> <br /> What i'm not
    clear on is if this port is meant to come from the isp, via say a switch, so
    the connection is split, one to regular wan port, the other to this dmz
    port.. or.. if you are just supposed to plug your "DMZ" servers into this
    gateway port, so they become part of the WAN/DMZ and then assign public ips
    on the nics of the servers (that are in the dmz)?<br /> <br /> Here are two
    layouts i originally thought might be the case:<br /> <br /> <br /> <img
    src="http://pqu1oq.blu.livefilestore.com...Y9G8415upw97YtACczV2iZID1fB9W7j4lG1v7/Network
    Topology with DMZ1.jpg" alt="" /> t;<br /> <br /> <br /> While here is one,
    based on the new finding of this dmz (possibly a passthrough port):<br />
    <img
    src="http://pqu1oq.blu.livefilestore.com...esmXNEQ7a2v35NhxqRpQVM4q3nU4-dGHmyRUs/Network
    Topology with DMZ2 via passthrough.jpg" alt="" /> <br /> Or perhaps this is
    the true nature of that X3 port, more of a passthrough to another switch or a
    VLAN on the existing internal switch: <img
    src="http://pqu1oq.blu.livefilestore.com...19ie7o8RB9yl8leh_dVA5cqRwDmDNyhgTwX0X/Network
    Topology with DMZ via passthrough planC.jpg" alt="" /> <br />
     
    markm75g, Jan 31, 2010
    #3
  4. markm75g

    markm75g Guest

    markm75g, Jan 31, 2010
    #4
  5. markm75g

    Bill Grant Guest

    Yes, those are the two most common scenarios. If you go for the 3 homed
    option, both the LAN and the DMZ connect to the Sonicwall. The switch
    hosting the DMZ machines would plug into the DMZ port of the Sonicwall an
    the switch hosting the LAN machines stays where it is.

    With a back to back firewall setup you ignore the DMZ switch on the
    Sonicwall. The DMZ switch plugs in where your LAN currently connects, and
    you have a second firewall (such as ISA/Forefront) between this and the
    existing LAN.
     
    Bill Grant, Jan 31, 2010
    #5
  6. markm75g

    markm75g Guest


    Awesome, i think i'm getting somewhere now .. thanks..

    So in the 3 home situation.. i wouldnt need that 2ndary firewall, because
    the sonicwall is sort of providing 2 firewalls in one basically?

    I'm guessing that i'd use that transparent mode.. so i wouldnt actually
    assign a public ip to the dmz port on the back of the sonicwall..

    The public ips would go in the nic on the server in the dmz .. would that
    dmz server or edge server, just have one nic, for the public ip.. say
    70.22.110.3 etc?

    I would imagine in certain edge situations, maybe owa or even an ocs edge
    server, that traffic to the lan still needs to talk somehow.. does this mean
    i'd need to setup a static route in the router to go from say 70.22.110.3 to
    say 192.168.100.1 (gateway).. and consequently open up policies to allow
    certain protocols to go through?

    Thanks again
     
    markm75g, Jan 31, 2010
    #6
  7. You public IP#s have nothing to do with a DMZ,.. and having or not having a
    DMZ has no effect on how you use those IP#s.


    --
    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Feb 1, 2010
    #7
  8. Kinda sorta, but not exactly. Actually I guess it would be "no". It would
    be one Firewall protecting 2 networks.
    No you would not. The public IP#s would only "live" on the public side on
    the "outdside" of the firewall. 90% of whatever you might do can most
    likely be done with only 1 public IP#. We have 128 public IP#s,...I use
    maybe 4 or 5.
    No the server would have Private IP#s. But it has to be a different subnet
    than the regula LAN. So this is an RFC Private Set,...so just "makeup" a
    new IP range to use for the Tri-Homed DMZ
    Policies ,..yes
    Routes,...no.
    All networks in this context are "directly connected" to the firewall,...so
    it "knows" where all of them are.

    In over 10 years I have never becomed convinced that I need a "DMZ" for
    anything,...and I still don't use one,...and I run the IT systems at an NBC
    affiliated TV New Station which is spewing with technology and "gadgets"
    everywhere. But I will try to help others understand how to deploy one if
    the insist that they want one. But I think most people don't need one, don't
    understand why they would or wouldn't need one and have no idea how to deal
    with the excess complexity created by one.
    ....Just my own opinion of course...


    --
    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Feb 1, 2010
    #8
  9. markm75g

    markm75g Guest

    Still not clear why this is called TriHomed.. if the servers behind the
    firewall, in the permiter dont have 3 network cards? Or is trihomed meaning,
    public/ can connect to internal via policies/ something else..

    So i would be essentially setting up policies to the server(s) behind the
    dmz firewall, like i do now with our regular lan behind the firewall.. ie: we
    only have two external ips.. i open up policies to allow certain ports open..
    sounds as if i would do the same on the new dmz zone.

    So if not a dmz/perimiter.. what is your recommendation? Just use nat
    passthrough policies and only open up what is needed.. what about having that
    extra layer of protection?
     
    markm75g, Feb 1, 2010
    #9
  10. Tri-homed: One firewall-3 interfaces. One on the LAN behind the firewall,
    one on the public side in front of the firewall, one "beside" the firewall
    (the DMZ).

    Back-to-Back DMZ: Two firewalls-2 interfaces in each. The DMZ is the
    network "between" the two firewalls.
    I'm not going to tell you to have or not have one. If you don't configure a
    server correctly (securely) on the LAN and publish it to the Internet and
    then get hacked, I don't want the blame. I'm just saying that I have no
    problem doing that,...but I keep my stuff cleanly configured,...I "know what
    I have" and I only publish what is specifically supposed to be available to
    external users.

    It is not NAT passthrough,...there is no such thing. There is a VPN
    Passthrough but doesn't apply here. The process is called Static NAT or
    Reverse NAT,...which may or may not have Port Address Translation running on
    top of it. BTW - there is no such thing as Port Forwarding either (in case
    you mention that next),...that is a "home-user" marketing term that someone
    just "made up" and it got off its leash. I think Linksys is to blame for
    that.

    --
    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Feb 1, 2010
    #10
  11. markm75g

    Bill Grant Guest

    I would like to add to Phillip's comments on a DMZ, especially since you
    mentioned whether or not to join the DMZ machines to the domain. This can
    lead to some interesting discussions.

    If you have a firewall between the private LAN and the DMZ there are real
    problems about joining DMZ machines to the domain if the DCs are on the
    private LAN. You need to punch a lot of holes in a firewall to allow all the
    necessary traffic AD needs. This leads to the question of whether there is
    really any point in having the firewall at all if you have to enable so many
    exceptions.
     
    Bill Grant, Feb 1, 2010
    #11
  12. markm75g

    markm75g Guest

    Yeah i think i will probably go the route of the 3 legged dmz.. using the
    sonicwall 2040 gateway as the only firewall for now.. take the dmz out port
    on the sonicwall to a dedicated physical switch, then onto a server or
    hyper-v host..

    Would using a vlan on a shared switch be ok to do in this case, rather than
    adding another dedicated one?

    I'm still thinking too, that for now, ill just take a port from the vlan or
    from the ded. switch, to an existing hyper-v lan server.. but to a dedicated
    nic port, create the virtual nic, and associate any virtual servers that are
    to be in the dmz, with that virtual switch, at least till we can get a
    dedicated dmz host for hyperv purposes.

    Some topologies call for a reverse proxy setup with isa 2006.. i'm also
    thinking my sonicwall firewall can serve that purpose (i'm still fuzzy on
    this reverse proxy thing).
     
    markm75g, Feb 4, 2010
    #12
  13. VLans, regular LANs,....irrelevant. The traffic per IP Segment is either
    separated or it isn't,...it has to be separated. Don't think that
    virtualization does anything different than un-virtualized,...you have to
    accomplish the same thing no matter if something is virtualized or not
    virtualize or a combination of the two.
    You can't have a Reverse Proxy,...without a proxy.
    Sonicwall is a NAT-based Firewall,...not a proxy.

    --
    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Feb 4, 2010
    #13
  14. markm75g

    markm75g Guest

    Oh well by VLAN i meant tagging in the hardware switch.. putting dmz ports
    into a vlan and the regular lan traffic are in their own vlan as well ( a
    temporary solution rather than using a dedicated switch to the dmz port).

    So even if from that vlan or dedicated switch i goto a separate nic in the
    hyperv host, then create a new virtual switch from that.. i guess yes, not as
    good as a dedicated box that has nothing but dmz virtual guests and no other
    nics connected to the lan..

    On the reverse proxy.. i suppose i could avoid that and configure port 443
    to go through to those services (kinda like i'm doing now) and use a public
    ssl cert on the webservices (not as secure, yes, but would work till i have a
    physical box to put isa 2006 on, or virtual isa 2006.. i guess a virtual isa
    2006 is almost pointless?)
     
    markm75g, Feb 5, 2010
    #14
  15. Why would it be pointless?

    Virtualization does not "change" anything.

    --
    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Feb 5, 2010
    #15
  16. markm75g

    markm75g Guest

    This is true.. i guess i can just associate it on the dmz virtual switch and
    go from there.... works for our situation anyway.
     
    markm75g, Feb 5, 2010
    #16
  17. markm75g

    markm75g Guest

    Isnt there a newer replacement for isa these days.. forefront 2010?

    Have you used it by chance.. or is the old isa 2006 still the better bet.

    Many thanks on the assistance btw.. The picture is much clearer now :)
     
    markm75g, Feb 5, 2010
    #17
  18. markm75g

    markm75g Guest

    Also..

    On my switch (cant recall on this how to do vlan properly):
    i have vid01
    all ports in it (for the whole switch), as "untag"

    The options are "untag , tag, not member"

    so if i want 29 through 32 to be dmz vlan
    do i change them to not member right?

    and then create vlan02 with 29 through 32 as "tagged"?

    Also.. taking that dmz port out from my firewall (sonicwall), do i just plug
    it into one of the ports now, 29 through 32..

    So at this point i would have vid02 with tagged 29 through 32, 32 being the
    one physical port on my nic on the hyperv server (which ill turn into a
    virtual dmz switch).. and then say 29 being the dmz cable from the sonicwall?

    **Only question i also still have is, am i better secured to use an entirely
    new nic card, or is just using one of the two existing ports "ok" to
    segregate the dmz virtual switch from the lan one (it was an unused
    management port).

    Thanks much
     
    markm75g, Feb 5, 2010
    #18
  19. markm75g

    markm75g Guest

    Sorry, just a few more notes on my test here:


    In the sonicwall 2040 dmz options:
    I'm confused as to which option i should be selecting for ip assignment..

    Ideally the machines in the dmz will have Both a new subnet (different than
    the lan, but local), some boxes could get public ips.. i have 5 public ip's
    to pick from, plus the one we already use on x2 for this ISP..

    Should i select transparent mode.. static or layer2 bridge..

    from the sounds of it, i guess i have to go with static, designate this ip
    to be the gateway... so in the public ip on the virtual server for that lan
    connection i'd put yet another public ip from my 5 and the gateway as this
    static? **EDIT: if i try to do static i get.. Subnet on this interface
    overlaps with another interface


    EDIT again: i put in 192.168.0.1 rather than the public ip next in line.. it
    took that.. i guess it was looking for the dmz private ip address not public
    available ones? So now i would put say 192.168.0.2 on the nic port on the
    hyperv server.. with dns of 192.168.0.1? (or am i going to need my own dns
    server in this new dmz zone now? with appropriate ports opened up)
     
    markm75g, Feb 5, 2010
    #19
  20. Forefront is a suite,...not a specific product.

    ISA2008 was renamed to TMG (Threat Management Gateway).

    It is almost identical to ISA2006 except form having additional features
    that 2006 lacked. For all intents and purposes it is just "ISA 2008" with a
    new name.


    --
    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Feb 8, 2010
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.