Access rules DMZ components

René Jorissen on January 6, 2009 • 0 Comments

Finally he first post in 2009, so before starting, HAPPY NEW YEAR!!!!! I know it’s late, but who cares….

This post is about opening specific ports from the DMZ to the internal network. This specific topic often results in discussions about which ports to open. One of the biggest discussion points is the use of internal DNS servers. In my opinion a DMZ server should never use an internal DNS server, because this could be a possible security issues if the server gets hacked. For DNS resolving of internal host I always configure hosts files.

In the next sections I list the ports for different services, which I normally open. The listed services are services which I often encounter during work.

ISA REVERSE PROXY

When configuring an ISA reverse proxy, it is most often used for publishing websites, Microsoft Outlook WebAccess or PDA synchronization to the Internet. When configuring this service I open the following ports.

FROM INTERNET TO DMZ

*source*	*destination*	*service port*
any	ISA server	TCP/80 (HTTP)
any	ISA server	TCP/443 (HTTPS)

FROM DMZ TO INTERNAL

*source*	*destination*	*service port*
ISA server	Exchange server web server	TCP/80 (HTTP)
ISA server	IAS server	UDP/1812 (RADIUS)*
ISA server	LDAP server	TCP/389 (LDAP)*

* the usage of RADIUS or LDAP depends on the authentication method used

CITRIX ACCESS / SECURE GATEWAY

When using Citrix Secure Gateway (CSG) I normally install the WebInterface on the same server in the DMZ. With a Citrix Access Gateway (CAG), the WebInterface is often installed on an internal server. So implementing CAG needs one extra ports. The following ports are configured by default.

FROM INTERNET TO DMZ

*source*	*destination*	*service port*
any	CAG/CSG	TCP/80 (HTTP)
any	CAG/CSG	TCP/443 (HTTPS)

FROM DMZ TO INTERNAL

*source*	*destination*	*service port*
CAG	WebInterface server	TCP/80 (HTTP)
CAG/CSG	Citrix Servers	TCP/80 (XML/STA)
CAG/CSG	Citrix Servers	TCP/1494 (Citrix ICA)
CAG/CSG	Citrix Servers	TCP/2598 (Citrix Common Gateway Protocol)
CAG/CSG	RSA Server	UDP/5500*

* This port is needed when RSA SecurID tokens are used for authentication

EXCHANGE EDGE SERVER

The last service listed is the configuration of an Exchange Edge server in the DMZ. When using an Exchange Edge server you should configure the following ports.

FROM INTERNET TO DMZ

*source*	*destination*	*service port*
any	Edge server	TCP/25 (SMTP)

FROM DMZ TO INTERNET

*source*	*destination*	*service port*
Edge server	any	TCP/25 (SMTP)
Edge server	ISP DNS servers	UDP/53 (DNS)

FROM DMZ TO INTERNAL

*source*	*destination*	*service port*
Edge server	Exchange server	TCP/25 (SMTP)

FROM INTERNAL TO DMZ

*source*	*destination*	*service port*
Exchange server	Edge server	TCP/25 (SMTP)
Exchange server	Edge server	TCP/50636 (EdgeSync)

I hope this post will help you when configuring specific services in a DMZ environment. Of course the lists above are not absolute and can be different in specific situations. I always use the above lists as a road map.

Bio
Latest Posts

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions

René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Certified Edge Expert (ACEX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

MacOS Big Sur and SSLKEYFILELOG - November 23, 2021
ClearPass, Azure AD, SSO and Object ID - August 12, 2021
ClearPass – custom MPSK - July 20, 2021