Configuration Example, Security
Access rules DMZ components
Finally he first post in 2009, so before starting, HAPPY NEW YEAR!!!!! I know it’s late, but who cares….
This post is about opening specific ports from the DMZ to the internal network. This specific topic often results in discussions about which ports to open. One of the biggest discussion points is the use of internal DNS servers. In my opinion a DMZ server should never use an internal DNS server, because this could be a possible security issues if the server gets hacked. For DNS resolving of internal host I always configure hosts files.
In the next sections I list the ports for different services, which I normally open. The listed services are services which I often encounter during work.
ISA REVERSE PROXY
When configuring an ISA reverse proxy, it is most often used for publishing websites, Microsoft Outlook WebAccess or PDA synchronization to the Internet. When configuring this service I open the following ports.
FROM INTERNET TO DMZ
source | destination | service port |
any | ISA server | TCP/80 (HTTP) |
any | ISA server | TCP/443 (HTTPS) |
FROM DMZ TO INTERNAL
source | destination | service port |
ISA server | Exchange server web server |
TCP/80 (HTTP) |
ISA server | IAS server | UDP/1812 (RADIUS)* |
ISA server | LDAP server | TCP/389 (LDAP)* |
* the usage of RADIUS or LDAP depends on the authentication method used
CITRIX ACCESS / SECURE GATEWAY
When using Citrix Secure Gateway (CSG) I normally install the WebInterface on the same server in the DMZ. With a Citrix Access Gateway (CAG), the WebInterface is often installed on an internal server. So implementing CAG needs one extra ports. The following ports are configured by default.
FROM INTERNET TO DMZ
source | destination | service port |
any | CAG/CSG | TCP/80 (HTTP) |
any | CAG/CSG | TCP/443 (HTTPS) |
FROM DMZ TO INTERNAL
source | destination | service port |
CAG | WebInterface server | TCP/80 (HTTP) |
CAG/CSG | Citrix Servers | TCP/80 (XML/STA) |
CAG/CSG | Citrix Servers | TCP/1494 (Citrix ICA) |
CAG/CSG | Citrix Servers | TCP/2598 (Citrix Common Gateway Protocol) |
CAG/CSG | RSA Server | UDP/5500* |
* This port is needed when RSA SecurID tokens are used for authentication
EXCHANGE EDGE SERVER
The last service listed is the configuration of an Exchange Edge server in the DMZ. When using an Exchange Edge server you should configure the following ports.
FROM INTERNET TO DMZ
source | destination | service port |
any | Edge server | TCP/25 (SMTP) |
FROM DMZ TO INTERNET
source | destination | service port |
Edge server | any | TCP/25 (SMTP) |
Edge server | ISP DNS servers | UDP/53 (DNS) |
FROM DMZ TO INTERNAL
source | destination | service port |
Edge server | Exchange server | TCP/25 (SMTP) |
FROM INTERNAL TO DMZ
source | destination | service port |
Exchange server | Edge server | TCP/25 (SMTP) |
Exchange server | Edge server | TCP/50636 (EdgeSync) |
I hope this post will help you when configuring specific services in a DMZ environment. Of course the lists above are not absolute and can be different in specific situations. I always use the above lists as a road map.
René Jorissen
Latest posts by René Jorissen (see all)
- MacOS Big Sur and SSLKEYFILELOG - November 23, 2021
- ClearPass, Azure AD, SSO and Object ID - August 12, 2021
- ClearPass – custom MPSK - July 20, 2021