Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Best practice to setup a DMZ? (hyperV and guests)

2,107 views
Skip to first unread message

markm75g

unread,
Jan 29, 2010, 10:38:03 PM1/29/10
to

I've never set up a dmz to this day.. we just purchased a five pack of ips
from our one ISP (verizon)..

I want to get things setup so that i'm no longer just opening and closing
ports on the sonicwall email security firewall gateway, which is basically
how i've been doing things for a while..

IE:

Cloud---->ISP--->Sonicwall----->LAN

(side info): We now have two hyperv servers, each with around 10 vm's, all
residing on a single spindle of drives in each server, raid6, roughly 6-7
drives each, for better read speeds..

We run Exchange 2010 and i'm the process of redoing the ocs 2007 R2
installation, this time with an edge server (its my understanding that the
voice component and maybe web conferencing one? with ocs shouldnt be
virtualized, as well as the UM role with exchange 2010)..

So my goal here is to setup this edge server for OCS and setup exchange 2010
correctly dmz wise (not clear on how that would be yet.. maybe the CAS/HUB in
a vm which is dmz)...

Things i'm not clear on:
I'm not sure, with a server in the DMZ, like the OCS edge server, or even an
ftp service running on one, if those should be joined to the domain.. in the
case of the CAS/HUB for exchange, i would think it would have to be..

One suggestion i should have a hub or switch sitting in between the port
going to my HyperV server card (the one i'd dedicate as dmz) and the
sonicwall.. this doesnt make sense to me...

So how should my setup look, do i simply put those external ips on one nic
port of the hyperV server and one on the associated guest or guests (2 in the
case of two dmzs + the hyperv server host)?

Would the guest have two virtual nics.. one for the dmz external ip and the
other for the local LAN?

Wouldnt i have to setup a virtual network switch on the hyperv host as well?


I'm thinking the layout may look like this:

Cloud--->ISP--->ExtraPhysicalSwitch-------->A "DMZ" dedicated port on
hyperv(turn into virtual network switch)------>VMguest DMZ virtual port

^in the above setup, i'd have a lan cable coming out of the
ExtraPhysicalSwitch and going into my sonicwall firewall's 2nd or 3rd port

I think i'd have to setup a static route in the router as well?

Any thoughts on all this?

Thanks


Bill Grant

unread,
Jan 30, 2010, 7:31:30 PM1/30/10
to

"markm75g" <mark...@discussions.microsoft.com> wrote in message
news:BB3D89AF-D12E-4283...@microsoft.com...

If you want your DMZ servers to have direct access to the Internet you
would give them public IPs from the batch you purchased. If you want them
to have private IPs you would allocate the public IPs to your edge server
and map them to the machines on the private network.

It is possible to run a DMZ with virtual machines and virtual networks,
but in this case I would run your DMZ on physical hardware. What were you
planning to put in the DMZ? Just Exchange and the OCS server? Will you keep
the Sonicwall as your edge server?

A DMZ, by definition, is not really part of the public Internet or the
LAN. The most common setup is the back to back firewall model, where you
have one firewall between the Internet and the DMZ and another between the
DMZ and the LAN. You would need a second firewall between the DMZ and the
private LAN. Since your virtual machines run on different hosts, I would use
a hardware firewall or firewall software running on physical hardware for
this second firewall. The routing and network config would get complicated
trying to run this firewall in a vm.

To sum up, I would recommend that you essentially leave your Hyper-V
servers and their vms alone and build your DMZ between them and the
Internet.

Internet
|
firewall (Sonicwall?)
|
DMZ
|
new firewall
|
existing LAN.

I love playing with virtual machines and virtual networks, but my honest
opinion is that a DMZ on a physical network is the best solution in this
case.

markm75g

unread,
Jan 30, 2010, 10:48:01 PM1/30/10
to
I didnt realize i'd need another firewall.. ISA or forefront running on a
physical box? (or another router with a firewall, we do have an old router
handy)..

Or.. is this not the case, as our Sonicwall gateway has a port which can be
labelled "DMZ" layer2 bridge or passthrough.. so backpedalling starting from
my original thought, to the latest thoughts based on the passthrough.. i'm
unclear, if this has the passthrough, wouldnt it essentially segment the
network, not requiring a firewall ontop of the existing one..


IE: I'm guessing if i correctly configure the sonicwall port, transparent,
i can essentially passthrough the ISP public connection, avoiding having to
assign another public ip directly on the unit.. <br /> <br /> What i'm not
clear on is if this port is meant to come from the isp, via say a switch, so
the connection is split, one to regular wan port, the other to this dmz
port.. or.. if you are just supposed to plug your "DMZ" servers into this
gateway port, so they become part of the WAN/DMZ and then assign public ips
on the nics of the servers (that are in the dmz)?<br /> <br /> Here are two
layouts i originally thought might be the case:<br /> <br /> <br /> <img
src="http://pqu1oq.blu.livefilestore.com/y1pQSjhi-Uiiy3uklgqekZ9w_ll58M2c7a_OGLzRcZ5kUXF610LF-aqbmM11JOY9G8415upw97YtACczV2iZID1fB9W7j4lG1v7/Network
Topology with DMZ1.jpg" alt="" /> t;<br /> <br /> <br /> While here is one,
based on the new finding of this dmz (possibly a passthrough port):<br />
<img
src="http://pqu1oq.blu.livefilestore.com/y1pfmjYNuk35Abt7RWWbVUona1Yn9Ew7UHoWL2AfgvSH8jRoO-XXq9P9WSUT5sesmXNEQ7a2v35NhxqRpQVM4q3nU4-dGHmyRUs/Network
Topology with DMZ2 via passthrough.jpg" alt="" /> <br /> Or perhaps this is
the true nature of that X3 port, more of a passthrough to another switch or a
VLAN on the existing internal switch: <img
src="http://pqu1oq.blu.livefilestore.com/y1p7uJNcRDLfTXZpDc-rk3rEXU1YoZ4FbzuRdjXw1WA_wqHpI4nfKQjPiXbY7819ie7o8RB9yl8leh_dVA5cqRwDmDNyhgTwX0X/Network
Topology with DMZ via passthrough planC.jpg" alt="" /> <br />

markm75g

unread,
Jan 30, 2010, 11:39:01 PM1/30/10
to
I should have also added:

Would C, be considered a 3 homed firewall described here:
http://blogs.msdn.com/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx

I'm not clear on where they describe the 3 homed part if they are referring
to a server having 3 network cards or the firewall having 3 network ports
(like the Sonicwall).

Bill Grant

unread,
Jan 31, 2010, 12:04:01 AM1/31/10
to


"markm75g" <mark...@discussions.microsoft.com> wrote in message

news:30997720-2B80-414E...@microsoft.com...

Yes, those are the two most common scenarios. If you go for the 3 homed
option, both the LAN and the DMZ connect to the Sonicwall. The switch
hosting the DMZ machines would plug into the DMZ port of the Sonicwall an
the switch hosting the LAN machines stays where it is.

With a back to back firewall setup you ignore the DMZ switch on the
Sonicwall. The DMZ switch plugs in where your LAN currently connects, and
you have a second firewall (such as ISA/Forefront) between this and the
existing LAN.

markm75g

unread,
Jan 31, 2010, 12:14:01 PM1/31/10
to

"Bill Grant" wrote:


Awesome, i think i'm getting somewhere now .. thanks..

So in the 3 home situation.. i wouldnt need that 2ndary firewall, because
the sonicwall is sort of providing 2 firewalls in one basically?

I'm guessing that i'd use that transparent mode.. so i wouldnt actually
assign a public ip to the dmz port on the back of the sonicwall..

The public ips would go in the nic on the server in the dmz .. would that
dmz server or edge server, just have one nic, for the public ip.. say
70.22.110.3 etc?

I would imagine in certain edge situations, maybe owa or even an ocs edge
server, that traffic to the lan still needs to talk somehow.. does this mean
i'd need to setup a static route in the router to go from say 70.22.110.3 to
say 192.168.100.1 (gateway).. and consequently open up policies to allow
certain protocols to go through?

Thanks again

Phillip Windell

unread,
Feb 1, 2010, 9:34:41 AM2/1/10
to
"markm75g" <mark...@discussions.microsoft.com> wrote in message
news:BB3D89AF-D12E-4283...@microsoft.com...

> I've never set up a dmz to this day.. we just purchased a five pack of ips
> from our one ISP (verizon)..
>
> I want to get things setup so that i'm no longer just opening and closing
> ports on the sonicwall email security firewall gateway, which is basically
> how i've been doing things for a while..

You public IP#s have nothing to do with a DMZ,.. and having or not having a
DMZ has no effect on how you use those IP#s.


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


Phillip Windell

unread,
Feb 1, 2010, 9:48:06 AM2/1/10
to
"markm75g" <mark...@discussions.microsoft.com> wrote in message
news:8F119C5F-1C47-4EAA...@microsoft.com...

> So in the 3 home situation.. i wouldnt need that 2ndary firewall, because
> the sonicwall is sort of providing 2 firewalls in one basically?

Kinda sorta, but not exactly. Actually I guess it would be "no". It would
be one Firewall protecting 2 networks.

> I'm guessing that i'd use that transparent mode.. so i wouldnt actually
> assign a public ip to the dmz port on the back of the sonicwall..

No you would not. The public IP#s would only "live" on the public side on
the "outdside" of the firewall. 90% of whatever you might do can most
likely be done with only 1 public IP#. We have 128 public IP#s,...I use
maybe 4 or 5.

> The public ips would go in the nic on the server in the dmz .. would that
> dmz server or edge server, just have one nic, for the public ip.. say
> 70.22.110.3 etc?

No the server would have Private IP#s. But it has to be a different subnet
than the regula LAN. So this is an RFC Private Set,...so just "makeup" a
new IP range to use for the Tri-Homed DMZ

> I would imagine in certain edge situations, maybe owa or even an ocs edge
> server, that traffic to the lan still needs to talk somehow.. does this
> mean
> i'd need to setup a static route in the router to go from say 70.22.110.3
> to
> say 192.168.100.1 (gateway).. and consequently open up policies to allow
> certain protocols to go through?

Policies ,..yes
Routes,...no.
All networks in this context are "directly connected" to the firewall,...so
it "knows" where all of them are.

In over 10 years I have never becomed convinced that I need a "DMZ" for
anything,...and I still don't use one,...and I run the IT systems at an NBC
affiliated TV New Station which is spewing with technology and "gadgets"
everywhere. But I will try to help others understand how to deploy one if
the insist that they want one. But I think most people don't need one, don't
understand why they would or wouldn't need one and have no idea how to deal
with the excess complexity created by one.
...Just my own opinion of course...

markm75g

unread,
Feb 1, 2010, 12:25:01 PM2/1/10
to

"Phillip Windell" wrote:

> ....Just my own opinion of course...


>
>
> --
> Phillip Windell
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>

> .
>

Still not clear why this is called TriHomed.. if the servers behind the
firewall, in the permiter dont have 3 network cards? Or is trihomed meaning,
public/ can connect to internal via policies/ something else..

So i would be essentially setting up policies to the server(s) behind the
dmz firewall, like i do now with our regular lan behind the firewall.. ie: we
only have two external ips.. i open up policies to allow certain ports open..
sounds as if i would do the same on the new dmz zone.

So if not a dmz/perimiter.. what is your recommendation? Just use nat
passthrough policies and only open up what is needed.. what about having that
extra layer of protection?


Phillip Windell

unread,
Feb 1, 2010, 2:56:15 PM2/1/10
to
"markm75g" <mark...@discussions.microsoft.com> wrote in message
news:7632ACC4-825A-4AD6...@microsoft.com...

> Still not clear why this is called TriHomed.. if the servers behind the
> firewall, in the permiter dont have 3 network cards? Or is trihomed
> meaning,
> public/ can connect to internal via policies/ something else..

Tri-homed: One firewall-3 interfaces. One on the LAN behind the firewall,
one on the public side in front of the firewall, one "beside" the firewall
(the DMZ).

Back-to-Back DMZ: Two firewalls-2 interfaces in each. The DMZ is the
network "between" the two firewalls.

> So i would be essentially setting up policies to the server(s) behind the
> dmz firewall, like i do now with our regular lan behind the firewall.. ie:
> we
> only have two external ips.. i open up policies to allow certain ports
> open..
> sounds as if i would do the same on the new dmz zone.

Yes,..exactly.

> So if not a dmz/perimiter.. what is your recommendation? Just use nat
> passthrough policies and only open up what is needed.. what about having
> that
> extra layer of protection?

I'm not going to tell you to have or not have one. If you don't configure a
server correctly (securely) on the LAN and publish it to the Internet and
then get hacked, I don't want the blame. I'm just saying that I have no
problem doing that,...but I keep my stuff cleanly configured,...I "know what
I have" and I only publish what is specifically supposed to be available to
external users.

It is not NAT passthrough,...there is no such thing. There is a VPN
Passthrough but doesn't apply here. The process is called Static NAT or
Reverse NAT,...which may or may not have Port Address Translation running on
top of it. BTW - there is no such thing as Port Forwarding either (in case
you mention that next),...that is a "home-user" marketing term that someone
just "made up" and it got off its leash. I think Linksys is to blame for
that.

Bill Grant

unread,
Feb 1, 2010, 6:39:53 PM2/1/10
to


"Phillip Windell" <philw...@hotmail.com> wrote in message
news:O5PKPw0o...@TK2MSFTNGP05.phx.gbl...

I would like to add to Phillip's comments on a DMZ, especially since you
mentioned whether or not to join the DMZ machines to the domain. This can
lead to some interesting discussions.

If you have a firewall between the private LAN and the DMZ there are real
problems about joining DMZ machines to the domain if the DCs are on the
private LAN. You need to punch a lot of holes in a firewall to allow all the
necessary traffic AD needs. This leads to the question of whether there is
really any point in having the firewall at all if you have to enable so many
exceptions.

markm75g

unread,
Feb 4, 2010, 2:04:01 PM2/4/10
to
Yeah i think i will probably go the route of the 3 legged dmz.. using the
sonicwall 2040 gateway as the only firewall for now.. take the dmz out port
on the sonicwall to a dedicated physical switch, then onto a server or
hyper-v host..

Would using a vlan on a shared switch be ok to do in this case, rather than
adding another dedicated one?

I'm still thinking too, that for now, ill just take a port from the vlan or
from the ded. switch, to an existing hyper-v lan server.. but to a dedicated
nic port, create the virtual nic, and associate any virtual servers that are
to be in the dmz, with that virtual switch, at least till we can get a
dedicated dmz host for hyperv purposes.

Some topologies call for a reverse proxy setup with isa 2006.. i'm also
thinking my sonicwall firewall can serve that purpose (i'm still fuzzy on
this reverse proxy thing).

"Bill Grant" wrote:

> .
>

Phillip Windell

unread,
Feb 4, 2010, 2:24:04 PM2/4/10
to
"markm75g" <mark...@discussions.microsoft.com> wrote in message
news:27EB2E87-A80F-40EA...@microsoft.com...

> I'm still thinking too, that for now, ill just take a port from the vlan
> or
> from the ded. switch, to an existing hyper-v lan server.. but to a
> dedicated
> nic port, create the virtual nic, and associate any virtual servers that
> are
> to be in the dmz, with that virtual switch, at least till we can get a
> dedicated dmz host for hyperv purposes.

VLans, regular LANs,....irrelevant. The traffic per IP Segment is either
separated or it isn't,...it has to be separated. Don't think that
virtualization does anything different than un-virtualized,...you have to
accomplish the same thing no matter if something is virtualized or not
virtualize or a combination of the two.

> Some topologies call for a reverse proxy setup with isa 2006.. i'm also
> thinking my sonicwall firewall can serve that purpose (i'm still fuzzy on
> this reverse proxy thing).

You can't have a Reverse Proxy,...without a proxy.
Sonicwall is a NAT-based Firewall,...not a proxy.

markm75g

unread,
Feb 5, 2010, 12:22:01 AM2/5/10
to
Oh well by VLAN i meant tagging in the hardware switch.. putting dmz ports
into a vlan and the regular lan traffic are in their own vlan as well ( a
temporary solution rather than using a dedicated switch to the dmz port).

So even if from that vlan or dedicated switch i goto a separate nic in the
hyperv host, then create a new virtual switch from that.. i guess yes, not as
good as a dedicated box that has nothing but dmz virtual guests and no other
nics connected to the lan..

On the reverse proxy.. i suppose i could avoid that and configure port 443
to go through to those services (kinda like i'm doing now) and use a public
ssl cert on the webservices (not as secure, yes, but would work till i have a
physical box to put isa 2006 on, or virtual isa 2006.. i guess a virtual isa
2006 is almost pointless?)

"Phillip Windell" wrote:

> .
>

Phillip Windell

unread,
Feb 5, 2010, 1:07:46 PM2/5/10
to
"markm75g" <mark...@discussions.microsoft.com> wrote in message
news:523CCE8F-10A7-48B6...@microsoft.com...

> ssl cert on the webservices (not as secure, yes, but would work till i
> have a
> physical box to put isa 2006 on, or virtual isa 2006.. i guess a virtual
> isa
> 2006 is almost pointless?)

Why would it be pointless?

Virtualization does not "change" anything.

markm75g

unread,
Feb 5, 2010, 3:18:13 PM2/5/10
to
This is true.. i guess i can just associate it on the dmz virtual switch and
go from there.... works for our situation anyway.

"Phillip Windell" wrote:

> .
>

markm75g

unread,
Feb 5, 2010, 3:20:05 PM2/5/10
to

Isnt there a newer replacement for isa these days.. forefront 2010?

Have you used it by chance.. or is the old isa 2006 still the better bet.

Many thanks on the assistance btw.. The picture is much clearer now :)


"Phillip Windell" wrote:

> .
>

markm75g

unread,
Feb 5, 2010, 4:49:01 PM2/5/10
to
Also..

On my switch (cant recall on this how to do vlan properly):
i have vid01
all ports in it (for the whole switch), as "untag"

The options are "untag , tag, not member"

so if i want 29 through 32 to be dmz vlan
do i change them to not member right?

and then create vlan02 with 29 through 32 as "tagged"?

Also.. taking that dmz port out from my firewall (sonicwall), do i just plug
it into one of the ports now, 29 through 32..

So at this point i would have vid02 with tagged 29 through 32, 32 being the
one physical port on my nic on the hyperv server (which ill turn into a
virtual dmz switch).. and then say 29 being the dmz cable from the sonicwall?

**Only question i also still have is, am i better secured to use an entirely
new nic card, or is just using one of the two existing ports "ok" to
segregate the dmz virtual switch from the lan one (it was an unused
management port).

Thanks much

markm75g

unread,
Feb 5, 2010, 5:16:01 PM2/5/10
to
Sorry, just a few more notes on my test here:


In the sonicwall 2040 dmz options:
I'm confused as to which option i should be selecting for ip assignment..

Ideally the machines in the dmz will have Both a new subnet (different than
the lan, but local), some boxes could get public ips.. i have 5 public ip's
to pick from, plus the one we already use on x2 for this ISP..

Should i select transparent mode.. static or layer2 bridge..

from the sounds of it, i guess i have to go with static, designate this ip
to be the gateway... so in the public ip on the virtual server for that lan
connection i'd put yet another public ip from my 5 and the gateway as this
static? **EDIT: if i try to do static i get.. Subnet on this interface
overlaps with another interface


EDIT again: i put in 192.168.0.1 rather than the public ip next in line.. it
took that.. i guess it was looking for the dmz private ip address not public
available ones? So now i would put say 192.168.0.2 on the nic port on the
hyperv server.. with dns of 192.168.0.1? (or am i going to need my own dns
server in this new dmz zone now? with appropriate ports opened up)

Phillip Windell

unread,
Feb 8, 2010, 4:32:19 PM2/8/10
to

"markm75g" <mark...@discussions.microsoft.com> wrote in message
news:FAA5DBB8-6D09-4F70...@microsoft.com...

>
> Isnt there a newer replacement for isa these days.. forefront 2010?

Forefront is a suite,...not a specific product.

ISA2008 was renamed to TMG (Threat Management Gateway).

It is almost identical to ISA2006 except form having additional features
that 2006 lacked. For all intents and purposes it is just "ISA 2008" with a
new name.

Phillip Windell

unread,
Feb 8, 2010, 5:01:08 PM2/8/10
to
I don't think I would have the Sonicwall "aware" of anything VLAN related
(assuming that is even possible). The Sonicwall is going to work based on
what cable is plugged into which physical Port and what that particualr
Interface's TCP/IP Specs are. Now the Sonicwall may have internal VLANing
to identify which Layer3 Interface the Port belongs to,..but this is
independent VLANing *inside* the Sonicwall that has nothing to do with the
VLANing on the rest of the LAN.

Bottom line:
1. Correctly configure the "networks" on the Sonicwall
2. Plug the right cable into the right port
3. Configure the Sonicwall's interfaces with the right TCP/IP Specs


--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"markm75g" <mark...@discussions.microsoft.com> wrote in message
news:358E523F-1C2F-4F78...@microsoft.com...

markm75g

unread,
Feb 9, 2010, 11:40:01 AM2/9/10
to
I see forefront threat management gateway, both enterprise and standard..
Any reason to go with ent over standard?


"Phillip Windell" wrote:

> .
>

Phillip Windell

unread,
Feb 10, 2010, 10:24:52 AM2/10/10
to
"markm75g" <mark...@discussions.microsoft.com> wrote in message
news:E6A30D34-EFB3-4B22...@microsoft.com...

>I see forefront threat management gateway, both enterprise and standard..
> Any reason to go with ent over standard?

If you aren't running an Array (requires a minimum of 3 Servers),...then no,
stay with Standard,..unless you just want to waste money.

3 machines in an Array?

2 TMG Array Members
1 Configuration Storage Server

The CSS box should not be on one of the TMG boxes. The whole point of the
Array is that it keeps going if you loose a Member,...but if the CSS is on a
Member then you loose the CSS along with the Member then where does that
leave you?

0 new messages