I would get a separate webserver. We have our own private network (vlan) for our webserver. Our main network is not exposed to the world. Our exchange is obviously but only for incoming mail though.
Just a suggestion
ittech's idea for the DC's is pretty good
Last edited by FN-GM; 6th February 2008 at 11:41 PM. Reason: typo
So your not getting the servers then?
Oh right its a project. I get you now! sorry i didn't read it properly, a blonde moment.
I've already wrote about the different servers so really I would like to get my head around DMZ's rather than using a VLAN. When a DMZ is used is there anything additional that I need to show in a network diagram or is the DMZ simply configured through the server? I'm clueless.
Internet | Firewall | Web Server/Exchange Server | Firewall | Servers
The part in red would obviously be the DMZ. What exactly do I require to create the DMZ and also as mentioned above how do I authenticate the exchange users if there is a DMZ?
Last edited by Edu-IT; 7th February 2008 at 12:29 AM.
Well, the way a DMZ usually works is that it is a physically segmented network (or a virtually segmented one with ACL's in place) is used to host the externally facing services. The internal network is allowed to communicate to those services via the router/firewall but the server is not allowed to communicate with internal hosts directly.
The way I'd probably do it is to have 3 network cards in the smoothwall box, 1 for the LAN, 1 for the router and 1 for the DMZ. Then plug the router directly into the smoothwall box and the other 2 either into the same switch but on different VLAN's or into 2 different switches that can't directly talk to each other.
But there are, of course, other ways of doing it.
I'm well and truly confused. I take it that I would then configure the VLANs through the SmoothWall or have I completely missed the point?
I've gone for the SmoothGuard 1000-UTM box which has "7 Gigabit Ethernet interfaces configurable as any combination of external, DMZ or local networks".
If you were to go with the VLAN option, you would plug the cables into the switch from the smoothwall box, and set up the VLANs on the switch - assigning each port that connects in to a different VLAN. You would allow inter-vlan routing between any vlan's on the internal network but not the DMZ and internal network. The smoothwall box would be used as the router for that, and then firewall rules be used to allow traffic through or not.
On the smoothwall box (i've not used smoothwall in a while so this may be a little different) you would then assign the connected interfaces to their functions - internal (green), external (red) and DMZ (orange).
In the server room there will be a fiber feed which connects to a switch. I've been told that this could cause a bottleneck, any suggestions as to what else to do? The seven servers then connect to this switch. Are you saying that I should connect the cables to the switch on the SmoothWall box and not the other switch I've put in place? Or could I configure the different VLANs on the switch I already have and simply connect the SmoothWall box to this switch?If you were to go with the VLAN option, you would plug the cables into the switch from the smoothwall box, and set up the VLANs on the switch
The only servers connecting to the outside world will be the Web Server/Exchange server so does this class as external or DMZ? I would think DMZ.
Sorry if this seems simple.
Last edited by Edu-IT; 7th February 2008 at 11:48 AM.
For the first, the switch would have 3 VLANs set up with the smoothwall box plugged in to 3 ports - each on a different vlan. The router would be on another port in 1 vlan, and the DMZ'd servers (website and exchange) would be on another 2 only in that VLAN. Then the smoothwall box would have the appropriate rules set up to allow access to the internet and dmz from internal, and access to the DMZ from external.
In the second, the switch is dedicated to the internal LAN, the router is plugged directly into the smoothwall box, as are the 2 DMZ'd servers, and 1 port plugs in to the switch. Then appropriate rules are set up as in the first.
Thanks for that. Starting to make sense now. I take it the rules that I configure will allow exchange to authenticate users?
What about users accessing the exchange server externally? By the way, what did you use to create those network diagrams?
Last edited by Edu-IT; 7th February 2008 at 02:32 PM.
Edu-IT (7th February 2008)
If I've understood correctly then this is how it will be. What did you use to create the network diagrams?
Another thought I've just had, if I don't allow the DMZ and the internal VLAN to communicate then does that mean access to the exchange server/web server can only be done over the internet or would the firewall rules allow the communication?
Last edited by Edu-IT; 7th February 2008 at 03:20 PM.
There are currently 1 users browsing this thread. (0 members and 1 guests)