Services on the DMZ Network

Once you have configured the DMZ connection, you will also want to configure the CyberGuard SG appliance to allow access to services on the DMZ. There are two methods of allowing access.

If the servers on the DMZ have public IP addresses, you need to add packet filtering rules to allow access to the services. See the section called Packet Filtering in the chapter entitled Firewall.

If the servers on the DMZ servers have private IP addresses, you need to port forward the services. See the section called Incoming Access in the chapter entitled Firewall. Creating port forwarding rules automatically creates associated packet filtering rules to allow access. However, you can also create custom packet filtering rules if you wish to restrict access to the services.

You may also want to configure your CyberGuard SG appliance to allow access from servers on your DMZ to servers on your LAN. By default, all network traffic from the DMZ to the LAN is dropped. See the section called Packet Filtering in the chapter entitled Firewall.

Direct LAN

Select Direct LAN to use the DMZ port as a second LAN connection. Using this configuration, the firewall between the DMZ and LAN is deactivated. Set up the connection in the same manner to your primary LAN connection, as detailed in the LAN section of this chapter.

Bridged LAN

See the Bridged Internet section earlier in this chapter.

DMZ as a second Internet connection

You may configure the DMZ port as a second Internet connection, this will generally be used in conjunction with the load balancing capability of your CyberGuard SG appliance. The DMZ port may also be configured as a backup connection for Internet failover.

These configurations are set up in a similar manner to your primary Internet port. Refer to the previous section in this chapter, entitled Internet.

42

Network Connections

Page 46
Image 46
SnapGear 2.0.1 user manual Services on the DMZ Network, Direct LAN, Bridged LAN, DMZ as a second Internet connection