Connecting the world…

Access rules DMZ components

Finally he first post in 2009, so before starting, HAPPY NEW YEAR!!!!! I know it’s late, but who cares….

This post is about opening specific ports from the DMZ to the internal network. This specific topic often results in discussions about which ports to open. One of the biggest discussion points is the use of internal DNS servers. In my opinion a DMZ server should never use an internal DNS server, because this could be a possible security issues if the server gets hacked. For DNS resolving of internal host I always configure hosts files.

In the next sections I list the ports for different services, which I normally open. The listed services are services which I often encounter during work.

ISA REVERSE PROXY

When configuring an ISA reverse proxy, it is most often used for publishing websites, Microsoft Outlook WebAccess or PDA synchronization to the Internet. When configuring this service I open the following ports.

FROM INTERNET TO DMZ

source destination service port
any ISA server TCP/80 (HTTP)
any ISA server TCP/443 (HTTPS)

 

FROM DMZ TO INTERNAL

source destination service port
ISA server Exchange server
web server
TCP/80 (HTTP)
ISA server IAS server UDP/1812 (RADIUS)*
ISA server LDAP server TCP/389 (LDAP)*

* the usage of RADIUS or LDAP depends on the authentication method used

CITRIX ACCESS / SECURE GATEWAY

When using Citrix Secure Gateway (CSG) I normally install the WebInterface on the same server in the DMZ. With a Citrix Access Gateway (CAG), the WebInterface is often installed on an internal server. So implementing CAG needs one extra ports. The following ports are configured by default.

FROM INTERNET TO DMZ

source destination service port
any CAG/CSG TCP/80 (HTTP)
any CAG/CSG TCP/443 (HTTPS)

 

FROM DMZ TO INTERNAL

source destination service port
CAG WebInterface server TCP/80 (HTTP)
CAG/CSG Citrix Servers TCP/80 (XML/STA)
CAG/CSG Citrix Servers TCP/1494 (Citrix ICA)
CAG/CSG Citrix Servers TCP/2598 (Citrix Common Gateway Protocol)
CAG/CSG RSA Server UDP/5500*

* This port is needed when RSA SecurID tokens are used for authentication

EXCHANGE EDGE SERVER

The last service listed is the configuration of an Exchange Edge server in the DMZ. When using an Exchange Edge server you should configure the following ports.

FROM INTERNET TO DMZ

source destination service port
any Edge server TCP/25 (SMTP)

 

FROM DMZ TO INTERNET

source destination service port
Edge server any TCP/25 (SMTP)
Edge server ISP DNS servers UDP/53 (DNS)

 

FROM DMZ TO INTERNAL

source destination service port
Edge server Exchange server TCP/25 (SMTP)

 

FROM INTERNAL TO DMZ

source destination service port
Exchange server Edge server TCP/25 (SMTP)
Exchange server Edge server TCP/50636 (EdgeSync)

 

I hope this post will help you when configuring specific services in a DMZ environment. Of course the lists above are not absolute and can be different in specific situations. I always use the above lists as a road map.

The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Certified Edge Expert (ACEX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.