Firewall, VPN and SQL Server

[Mike Forman]

I'm setting up a linux firewall for my companies T1. All of our other machines
will be windoze. I also need to setup a Windows VPN server (can't use the linux
clients for reasons I can't get into here).

1) Someone suggested to me that I put the VPN in the linux DMZ and foward the
ports to that machine. Does that make sense?

2 I also have another security question which I have no idea how to handle. We
have some application (IIS) servers that we want on the internet. I can put
those outside of the firewall (or port foward 80 to that machine), BUT those
machines will need access to servers INSIDE the fireall (SQL Server). Any
suggestions on how to handle this one? I haven't a clue :(

-Mike

[Mike Forman]

Thanks for the great reply! That was very informative. I have a couple of
followup questions

>In general, I always VPN into the firewall appliance and then create
>rules that allow the VPN group(s) to access the resources that I want
>them to be able to access.

I need to use a Mircosoft VPN server to handle this, so if my firewall is linux,
how could I accomplish this?

>Third - Make a LAN port 80/443 to DMZ port 80/433 (ANY IP address on the
>LAN) - do not map from the DMZ to the LAN with this rule.
>

I'm a bit unclear what the above step does. What does this allow you to do?


Thanks again,

-Mike

[ELE OLO]

Hi, Mike,

1) Is someone suggesting to put the Linux Firewall/VPN in DMZ ? If
so, do you
already have another firewall at the main gateway ? It does make
sense to
have a linux VPN in another location, if you already have a firewall
to
act as traffic cop for the traffic dedicated to the Linux VPN in the
DMZ. Forwarding traffic to another server especially when you are
dealing with issues with NAT & outside accessible 2-way traffic does
make sense.

2) Create a IPSEC VPN site-to-site using a small firewall/vpn
box/software residing on the ISS server, and make the appropriate
configurations on the gateway firewall to handle the secure 2 way
traffic to the secure SQL server on the inside. The setup you needs
to be take care of vpn traffic initiated from both inside and outside
using site-to-site VPN.

Dean




Mike Forman <ec-nospam@microsoft.com> wrote in message news:<74883250.0000426f.062@drn.newsguy.com>...

> I'm setting up a linux firewall for my companies T1. All of our other machines
> will be windoze. I also need to setup a Windows VPN server (can't use the linux
> clients for reasons I can't get into here).
>
> 1) Someone suggested to me that I put the VPN in the linux DMZ and foward the
> ports to that machine. Does that make sense?
>
> 2 I also have another security question which I have no idea how to handle. We
> have some application (IIS) servers that we want on the internet. I can put
> those outside of the firewall (or port foward 80 to that machine), BUT those
> machines will need access to servers INSIDE the fireall (SQL Server). Any
> suggestions on how to handle this one? I haven't a clue :(
>
> -Mike

[Pertti Kosunen]

"Mike Forman" <ec-nospam@microsoft.com> wrote in message
news:74928729.0000e616.099@drn.newsguy.com...

> >Third - Make a LAN port 80/443 to DMZ port 80/433 (ANY IP address on the
> >LAN) - do not map from the DMZ to the LAN with this rule.

>
> I'm a bit unclear what the above step does. What does this allow you to

do?

This allow workers also to connect your web server from intranet/LAN.