Hi All,
I have a DB server on our internal lan with RFC 1918 Private address space,
and in our DMZ, our IIS web server with a real address.
See below PIC.
internet ------- router --------bastion host -----------Web Servers
| DMZ |
| | To Internal
Firewall
|
|
| To Internal Firewall
The link from the bastion host to the internal firewall is Private address
space, as is the link from the web server to the internal firewall.
The only reason for the internal firewall is in case the bastion host or web
servers are compromised.
The reasoning is that MS Dcom and SQL Server have trouble with a masqueraded
connection, otherwise I would masquerade addresses on the internal firewall.
If I have an application proxy on the internal firewall, wouldn't that mean
that I no longer need to masquerade addresses, as there is no forwarding.
The proxy process will handle that for me. Then I can use public addresses
outside of our internal firewall.
If I have proxies on both the internal and external firewall, is that going
overboard ?
Please provide any comments - they will be greatly appreciated.
Cheers,
Greg.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
