Access rules DMZ components
January 6th, 2009
Finally he first post in 2009, so before starting, HAPPY NEW YEAR!!!!! I know it’s late, but who cares….
This post is about opening specific ports from the DMZ to the internal network. This specific topic often results in discussions about which ports to open. One of the biggest discussion points is the use of internal DNS servers. In my opinion a DMZ server should never use an internal DNS server, because this could be a possible security issues if the server gets hacked. For DNS resolving of internal host I always configure hosts files.
In the next sections I list the ports for different services, which I normally open. The listed services are services which I often encounter during work.
ISA REVERSE PROXY
When configuring an ISA reverse proxy, it is most often used for publishing websites, Microsoft Outlook WebAccess or PDA synchronization to the Internet. When configuring this service I open the following ports.
FROM INTERNET TO DMZ
| source | destination | service port |
| any | ISA server | TCP/80 (HTTP) |
| any | ISA server | TCP/443 (HTTPS) |
FROM DMZ TO INTERNAL
| source | destination | service port |
| ISA server | Exchange server web server |
TCP/80 (HTTP) |
| ISA server | IAS server | UDP/1812 (RADIUS)* |
| ISA server | LDAP server | TCP/389 (LDAP)* |
* the usage of RADIUS or LDAP depends on the authentication method used
CITRIX ACCESS / SECURE GATEWAY
When using Citrix Secure Gateway (CSG) I normally install the WebInterface on the same server in the DMZ. With a Citrix Access Gateway (CAG), the WebInterface is often installed on an internal server. So implementing CAG needs one extra ports. The following ports are configured by default.
FROM INTERNET TO DMZ
| source | destination | service port |
| any | CAG/CSG | TCP/80 (HTTP) |
| any | CAG/CSG | TCP/443 (HTTPS) |
FROM DMZ TO INTERNAL
| source | destination | service port |
| CAG | WebInterface server | TCP/80 (HTTP) |
| CAG/CSG | Citrix Servers | TCP/80 (XML/STA) |
| CAG/CSG | Citrix Servers | TCP/1494 (Citrix ICA) |
| CAG/CSG | Citrix Servers | TCP/2598 (Citrix Common Gateway Protocol) |
| CAG/CSG | RSA Server | UDP/5500* |
* This port is needed when RSA SecurID tokens are used for authentication
EXCHANGE EDGE SERVER
The last service listed is the configuration of an Exchange Edge server in the DMZ. When using an Exchange Edge server you should configure the following ports.
FROM INTERNET TO DMZ
| source | destination | service port |
| any | Edge server | TCP/25 (SMTP) |
FROM DMZ TO INTERNET
| source | destination | service port |
| Edge server | any | TCP/25 (SMTP) |
| Edge server | ISP DNS servers | UDP/53 (DNS) |
FROM DMZ TO INTERNAL
| source | destination | service port |
| Edge server | Exchange server | TCP/25 (SMTP) |
FROM INTERNAL TO DMZ
| source | destination | service port |
| Exchange server | Edge server | TCP/25 (SMTP) |
| Exchange server | Edge server | TCP/50636 (EdgeSync) |
I hope this post will help you when configuring specific services in a DMZ environment. Of course the lists above are not absolute and can be different in specific situations. I always use the above lists as a road map.
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, HP Networking, Juniper Networks, RSA, PaloAlto Networks, Microsoft and many more. René is CCNA (Routing & Switching, Security), CCNP , Cisco ASA Specialist and CEFFS certified.
You can follow René on Twitter and LinkedIn.
Related Articles
Leave a Reply
Share this Blog
