Solved: Two tier firewall

aung.htwe · ‎03-20-2013

Hi ,

I have to configuration for data center network with two tier firewall.

Our data centre will DMZ server and Microsoft Lync Server.

Server team advise me to put DMZ servers between two firewall.

So I need to NAT on front end firewall with DMZ LAN and Public IP addres.

At Back end firewall also have to NAT ( internal LAN and DMZ second Interface)

Please check as below link: which design do you prefer?

http://etherealmind.com/design-enterprise-dmz-firewall-clusters/

Please advise me.

Thanks,

Ko Htwe

Collin Clark · ‎03-21-2013

By using one NIC in the server, you can accomplish the same thing as two NIC's and I think it keeps the design simpler.

View solution in original post

Collin Clark · ‎03-21-2013

Compared to what Microsoft wants it to be a disadvantage is that the Edge Server won't be acting as a security device. Also you'll have to create NAT's and ACL's on the backside firewall for connectivity to the corporate LAN. I personally don't see those as disadvantages (and neither do most security engineers), but Microsoft doesn't like it.

View solution in original post

Collin Clark · ‎03-21-2013

I usually do a DMZ between the firewalls. I recently did that with a Lync deployment and it works just fine.

aung.htwe · ‎03-21-2013

Thanks Collin,

Can I used this design? please advise me.

Please advise me thanks,

Ko Htwe

Collin Clark · ‎03-21-2013

That will work, but it doesn't make much sense and makes it more complicated than it needs to be. Why have dual NIC's in the servers with one in each network? That will make it a routing mess on the servers. Why not have a single NIC in the server and place it in the 192.168.0.0/24 network?

aung.htwe · ‎03-21-2013

Hi Collin,

This server is lync edge server. My idea is one network card for to NAT with public IP adddress ( 172.16.2.x NAT with Public IP ). One is for the Internal Firewall To NAT with internal network. (20.20.0.x NAT with internal IP 10.10.0.x).

Your suggestion is want to use one NIC with one IP address for DMZ server going to both firewall, is it ?

Please advise me, thanks.

Thanks,

Ko Htwe

Collin Clark · ‎03-21-2013

By using one NIC in the server, you can accomplish the same thing as two NIC's and I think it keeps the design simpler.

aung.htwe · ‎03-21-2013

Thanks Collin, I appreciated that.If I will do this design what will be cause the issue and what will have adavantages?

Thanks,

Ko Htwe

Collin Clark · ‎03-21-2013

What do you mean by cause the issue?

aung.htwe · ‎03-21-2013

Hi Collin,

If I will use this desing, what is the disadvantages?

Thanks,

Ko Htwe

Collin Clark · ‎03-21-2013

Compared to what Microsoft wants it to be a disadvantage is that the Edge Server won't be acting as a security device. Also you'll have to create NAT's and ACL's on the backside firewall for connectivity to the corporate LAN. I personally don't see those as disadvantages (and neither do most security engineers), but Microsoft doesn't like it.

aung.htwe · ‎03-21-2013

Thanks Collin,

Please check it this design, actually I propose this design. Can you advise me for advantages and disadvantages?

Thanks,

Ko Htwe