On 13/01/17 07:53, Syafril Hermansyah wrote:
> Pilihan lain, kita bisa letakkan semua server kedalam satu farm zone
> (DMZ, Demilitarized Zone)


Demilitarized zone (DMZ) adalah segment khusus dari LAN yang bisa
diakses dari internet.
Segment ini tidak diperkenankan akses langsung ke LAN agar jika terjadi
masalah di DMZ zone tidak merembet ke LAN.
Di KCF dilakukan dengan menambah NIC terpisah khusus untuk DMZ

Topologinya menjadi sbb:

internet --- KCF -- LAN
                |
                +--- DMZ (server farm)


http://kb.kerio.com/product/kerio-control/traffic-rules/configuring-demilitarized-zone-dmz-347.html

misalkan apps server di DMZ zone punya private IP 192.168.1.100, public
IP  di internet interface hanya 1 (Share)
Maka traffic rule yang dibuat sbb


1. Akses DMZ dari Internet

Rule name: Accessing Apps Server from Internet
Source : Internet Interface
Destination: Firewall
Services: http, https, icmp, ping
IPversion: IPv4
Action: Allow
Translation: Map to 192.168.1.100

2. Akses dari DMZ ke Internet

Rule name: Accessing Apps Server to Internet
Source : DMZ Interface
Destination: Internet Interface
Services: http, https, icmp, ping
IPversion: IPv4
Action: Allow
Translation: NAT balancing per host

3. Akses dari LAN ke DMZ

Rule name: Accessing Apps Server from LAN
Source : Trusted/Local Interface
Destination: DMZ interface
Services: ANY
IPversion: IPv4
Action: Allow
Translation: none

4. Blok akses dari DMZ ke LAN

Rule name: Restric Accessing Apps Server to LAN
Source : DMZ interface
Destination: Trusted/Local Interface
Services: ANY
IPversion: IPv4
Action: DENY
Translation: none





-- 
syafril
-------
Syafril Hermansyah




-- keriocontrol --------------------------------------------------
Subscribe: <mailto: kcontrol-subscr...@kerio.dutaint.com>
Unsubscribe: <mailto: kcontrol-unsubscr...@kerio.dutaint.com>
Archive : http://kcontrol.kerio.dutaint.com
Latest Version: 9.1.4

Kirim email ke