Best way to secure web server that needs LAN access

jcurt7492

I'm new to networking and I need to setup a DMZ zone for my web server on my Sonicwall TZ300W.

I have a web server that hosts (3) websites and (1) web service. 2 of the websites require access to our SQL server that sits on the LAN. Currently, it was setup to port forward and both web server and SQL server are in the LAN zone. What is the most secure way I can setup this configuration?

I'm reading that it is not a good security practice to open up ports for access from the DMZ to the LAN.

TKWITS

This is a bit of a loaded question as there are many ways to get the same outcome. You also have provided the bare minimum of information. That being said...

Are these servers virtual or physical? Are you using VLANs on your network? Does the webserver need to be accessible from the LAN?

Questions aside, Sonicwalls come with a DMZ 'Zone' preconfigured. You could assign a specific interface (e.g. X2) to the DMZ zone, give it a unique subnet, move your web server NIC onto that interface and reconfigure the server IP in the DMZ subnet. Then re-create the NAT and firewall rules (port forwards) for external access.

It's possible you'd have to reconfigure both servers with the new IP address information (depending on how the applications are configured).

From there you could limit which ports are open LAN to DMZ and DMZ to LAN to only those needed for functionality.

Let us not forget the Security Services configurations...

Hope that helps.

Saravanan

Hi @JCURT7492,

Thank you for visiting SonicWall Community.

My recommendation is, you can have the webserver on the DMZ and allow only the required ports from DMZ to LAN for the SQL server communication. LAN to DMZ rule is not required unless there has to be communication initiated from SQL server to the webserver.