New web server setup recommendations please! 1

[Finchmore]

Hi All,

I am currently in the process of setting up a new web server within our NT network but would be really grateful from some help and assistance in understanding how it all fits together.

The web server is to be positioned in a DMZ using a ZyWALL 100 firewall but needs to connect internally to our NT network to pull data (client’s stock and stock quantities) from a dedicated SQL server. I have a general feel for how the topology should look but have a list of questions that I don’t have answers for! If anyone can help with specific answers, recommended websites or literature, I’d be really grateful.

1) Our ISP is BT and the router they supplied is a “No-NAT” version. Do I need to upgrade the router to allow NAT or will the firewall cope with this?

2) The web server comes with two NIC’s. I assume one physically attaches to the firewall but I’m not sure if the second one is required or not. If it is, where does it connect?

3) I have been given varying information as to which ports need to be opened/closed. As we only need web access to the web server (no email) from the internet, which ports need to be closed?

Many thanks.

 

[Castor66]

1. The firewall should cope with this.
2. Ideally you would team the NICs together and stick them into two different switches for redundancy but I doubt your setup is that big. Just configure one and let the other empty for now.
3. You need to open TCP port 1433 from your DMZ to your SQLServer (assuming it is SQL?). I assume your internal clients wil also need access to this server? Then you need to open port 80 from Internal to DMZ. Are you using SSL? Then you will also need 443 from Internal to DMZ.

Summary:

External -> DMZ : TCP 80 (maybe 443)
DMZ -> Internal : TCP 1433 if SQLServer
Internal -> DMZ : TCP 80 (Maybe 443)
Internal -> External : Any port that you may want your clients to browse the internet by or NONE.
External -> Internal : NONE

I've not used the ZyWall but you may have to set up corresponding rules as well but I doubt it.

 

[Finchmore]

Hi Castor,

Many, many thanks for this feed back, it's just what I needed to hear.

Yes, we are using SQL for the data but I'm not sure about SSL for encryption. How do I go about initiating this part of the process? Do I have to buy additional software or is it bundled within IIS or something similar?

Thanks again.

Rgds.

Finchmore

 

[Castor66]

SSL Support is built-in but you would need an SSL certificate. If you are only securing the data for internal or extranet access then you should be able to generate one yourself. If you are dealing with end-users, i.e. customers, then you will probably need to buy a commercial one. Geotrust or Verisign do them.

To get one you will need to generate a certificate request. (google the answer to that) and send it off to the 3rd party or to your own certificate manager. Then take the reply and process it. Lots of info on MS site or on the web in general on doing this. Initially I wouldn't worry about it.