D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: alanrwilliams on January 11, 2010, 12:23:46 PM

Title: DFL-800 Using DMZ
Post by: alanrwilliams on January 11, 2010, 12:23:46 PM

I have been running our DFL-800 for some time now without issue. Now it is time to mess with things :D

We have all of our computers located on the lan interface and use wan1 as our only internet interface.

I have recently acquired an exchange server (instead of outsourcing it) and would like to put it on the DMZ interface.

Can someone assist with the required changes to the DFL-800 for this?

Thanks,

Al

Title: Re: DFL-800 Using DMZ
Post by: Fatman on January 11, 2010, 02:44:30 PM

The quick answer is that you will need to ensure you have IP rules allowing all traffic that you wish to allow.

There is a current thread that covers this exact query almost to the word.  You may want to check recent threads for more information.

Title: Re: DFL-800 Using DMZ
Post by: alanrwilliams on January 12, 2010, 07:09:22 AM

Thanks I will check, but do you have a link to the topic that I could click?

Thanks again,

Al

Title: Re: DFL-800 Using DMZ
Post by: Fatman on January 12, 2010, 09:43:48 AM

Here is a very similar request that is still being worked out but his basic configs have already been specified.

http://forums.dlink.com/index.php?topic=10257.0



*** Modified by Fatman because he decided that verbosity is a virtue only after hitting "Post"

Title: Re: DFL-800 Using DMZ
Post by: alanrwilliams on January 12, 2010, 11:12:00 AM

Thanks, I am working through the examples you have provided. Much appreciated. Al

Title: Re: DFL-800 Using DMZ
Post by: alanrwilliams on January 12, 2010, 11:54:19 AM

Time for some more detail in order to allow you to give me more specific hints...

wan1_ip = 64.201.63.122
lan_ip = 172.16.1.10
lannet = 172.16.1.0/24
dmz_ip = 172.17.100.1
dmznet = 172.17.100.0/24
dmz_sbs = 172.17.100.8

I have downloaded and adopted what I can from the D-Link document "Scenario: How to configure SAT (Port Forwarding) for DMZ.

I created of folder Rules - IP Rules - DMZ_Rules
I already have another rules folder with many many port forward rules that we use for our servers located on the lan interface.

In the DMZ_Rules folder I would like rules to allow all traffic to/from the MS-SBS server out to either the wan1 or lan interface as needed.

Furthermore, I would like the SBS server in the DMZ to be able to get the MS Exchange traffic and any other SBS related traffic, but to leave all other existing traffic (ie our existing FTP server is on the lan interface) going to/from our servers located on the lan interface.

We make extensive use of ports for our other servers located on lan interface. We probably should move much of this to the dmz interface, but that will be a seperate project.

The ports I have in mind for the MS-SBS in the dmz are (unless I missed some):

21 FTP, to be left on lan interface for existing ftp server for now
25 SMTP for Exchange server on SBS in dmz, but have other smtp servers located on the lan interface
80 http:// for SBS to lan interface (ie, internal) IIS server only. all other port 80 goes to lan interface for existing servers
110 pop3 to the sbs server in the dmz
123 for both dmz and lan based servers to get NTP traffic
143 for sbs server only in dmz to get IMAP4 requests
220 for sbs server only in dmz to get IMAP3 requests
443 https:// for OWA and OMA to the sbs server in the DMZ, but we already use https:// traffic on the lan
444 Sharepoint is not already used here, so we should be able to have this dmz only

A dlink rep tried to setup vpn previously so this may need to be reviewed, but I would like the vpn stuff to go to the sbs server in the dmz only. Ports 500, 1701 and 1723

3389 Terminal Service to the sbs server only in the dmz
4125 for OWA access to Exchange server on the sbs server located in the dmz
4500 IPSec i think to the dmz server?

Wow this sure seems like a lot.

Hope you can help...  Al

Title: Re: DFL-800 Using DMZ
Post by: Fatman on January 12, 2010, 12:50:58 PM

You port forwards will be just like your LAN port forwards, the only thing that will be different is that you will need rules allowing traffic from the LAN to the DMZ and visa versa.

Title: Re: DFL-800 Using DMZ
Post by: alanrwilliams on January 12, 2010, 12:56:14 PM

Once again, thank you. I now have a bunch of work to do to get this setup, thanks to your help I should be well on my way.

BTW, I was wondering if you would comment upon the port forwards I outlined for the dmz?

For example, do you see any potential issue with what I have written about so far?

Thanks again,

Al

Title: Re: DFL-800 Using DMZ
Post by: Fatman on January 13, 2010, 08:01:34 AM

Only that you will want to change your HTTP/HTTPS management ports, and that if you create a service group with all your services for a particular server your configurations will be much easier.

Title: Re: DFL-800 Using DMZ
Post by: alanrwilliams on January 13, 2010, 10:25:41 AM

Hey guy, Please comment on the port forwards I have suggested and if you see any issue with what I am planning.

Thanks, Al

Quote from: alanrwilliams on January 12, 2010, 12:56:14 PM

Once again, thank you. I now have a bunch of work to do to get this setup, thanks to your help I should be well on my way.

BTW, I was wondering if you would comment upon the port forwards I outlined for the dmz?

For example, do you see any potential issue with what I have written about so far?

Thanks again,

Al