On 13/01/17 07:53, Syafril Hermansyah wrote:
> Pilihan lain, kita bisa letakkan semua server kedalam satu farm zone
> (DMZ, Demilitarized Zone)
Demilitarized zone (DMZ) adalah segment khusus dari LAN yang bisa
diakses dari internet.
Segment ini tidak diperkenankan akses langsung ke LAN agar jika terjadi
masalah di DMZ zone tidak merembet ke LAN.
Di KCF dilakukan dengan menambah NIC terpisah khusus untuk DMZ
Topologinya menjadi sbb:
internet --- KCF -- LAN
|
+--- DMZ (server farm)
http://kb.kerio.com/product/kerio-control/traffic-rules/configuring-demilitarized-zone-dmz-347.html
misalkan apps server di DMZ zone punya private IP 192.168.1.100, public
IP di internet interface hanya 1 (Share)
Maka traffic rule yang dibuat sbb
1. Akses DMZ dari Internet
Rule name: Accessing Apps Server from Internet
Source : Internet Interface
Destination: Firewall
Services: http, https, icmp, ping
IPversion: IPv4
Action: Allow
Translation: Map to 192.168.1.100
2. Akses dari DMZ ke Internet
Rule name: Accessing Apps Server to Internet
Source : DMZ Interface
Destination: Internet Interface
Services: http, https, icmp, ping
IPversion: IPv4
Action: Allow
Translation: NAT balancing per host
3. Akses dari LAN ke DMZ
Rule name: Accessing Apps Server from LAN
Source : Trusted/Local Interface
Destination: DMZ interface
Services: ANY
IPversion: IPv4
Action: Allow
Translation: none
4. Blok akses dari DMZ ke LAN
Rule name: Restric Accessing Apps Server to LAN
Source : DMZ interface
Destination: Trusted/Local Interface
Services: ANY
IPversion: IPv4
Action: DENY
Translation: none
--
syafril
-------
Syafril Hermansyah
-- keriocontrol --------------------------------------------------
Subscribe: <mailto: [email protected]>
Unsubscribe: <mailto: [email protected]>
Archive : http://kcontrol.kerio.dutaint.com
Latest Version: 9.1.4
