DMZ, IP Passthrough and Firewalls

Similar Messages

• SCCM design DMZ for intranet and internet clients

  Hello,
  I am looking for some design recommendations for my test environment that I would like to apply to one production environment (I already posted about this topic but I still have some questions).
  I am working with 2 domains (2 forests) with no trust relationships.
  Domain A : internal
  Domain B : DMZ
  From a firewall point of view, only the ports from the internal to the DMZ will be opened.
  From the internet to the DMZ, only HTTPS will be opened.
  Currently, I only manage the clients connected to the internal domain.
  I would like to deploy a new management point in DMZ that will allow me to manage my DMZ clients (servers) and my Internet clients (laptops).
  Should I use 2 management points ? Is it supported ?
  - one for the DMZ clients
  - one dedicated to my internet clients
  If I use only one MP, should I allow Intranet and Internet clients ?
  Should I allow my DMZ clients to communicate with the internal management point (port 80) and only use the MP in DMZ for my Internet clients.
  The only documents I can find on Technet require too many ports to be opened in the firewall (From DMZ to Internal) and can't be applied to my environment.
  Thanks.

  Have a look at the following blog which explains your queries comprehensively.
  http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
  -RG

• Using Sockets TCP/IP to connect through Proxies and Firewalls

  How to do in a Client/server Application using Sockets TCP/IP to connect through Proxies and Firewalls?
  How to implement the HTTP Tunnelling in this case?
  the code in Client to connect to server is:
  SSLSocketFactory sslFact = (SSLSocketFactory)SSLSocketFactory.getDefault();
                 socket = (SSLSocket)sslFact.createSocket(c.site, c.PORT);
            String [] enabledCipher = socket.getSupportedCipherSuites ();     
                 socket.setEnabledCipherSuites (enabledCipher);
                 out = new ObjectOutputStream(socket.getOutputStream());
                 in = new ObjectInputStream(socket.getInputStream());
  The Server is an executable Standalone Application with a main Function � How to do to convert this Server in a Servlet Application?
  the code in Server to wait client connections is:
  Runtime.getRuntime().addShutdownHook(new ShutdownThread(this));
            try {
                 SSLServerSocketFactory factory = (ServerSocketFactory) SSLServerSocketFactory.getDefault();
                 SSLServerSocket sslIncoming =
                      (SSLServerSocket) factory.createServerSocket (PORT);
                 String [] enabledCipher = sslIncoming.getSupportedCipherSuites ();
                 sslIncoming.setEnabledCipherSuites (enabledCipher);
            while(running) {
                      SSLSocket s = (SSLSocket)sslIncoming.accept();
                 newUser(s, pauseSyn);
            } catch (IOException e) { System.out.println("Error: " + e); }
  some links or code sample?
  Thanks in Advance

  Did you see this: Networking Properties?
  Including
  SOCKS protocol support settings
  and
  http.proxyHost (default: <none>)
  http.proxyPort (default: 80 if http.proxyHost specified)
  http.nonProxyHosts (default: <none>
  ftp.proxyHost (default: <none>)
  ftp.proxyPort (default: 80 if ftp.proxyHost specified)
  ftp.nonProxyHosts (default: <none>)

• My router does vpn passthrough and is set up correctly. Does it also have to host the vpn?

  my router does vpn passthrough and is set up correctly. Does it also have to host the vpn?
  Thanks
  Greg

  Not sure I understand your question or problem, but I'll give it a shot.
  No, you do not have to host the VPN server on your router.  That wouldn't do you any good for working around the limitations of the VZW network anyways since you are still on the same VZW network.  When you setup a VPN you normally want it to be on someone else's network so you can enable things like port forwarding and remote access.
  The VPN Passthrough feature only allows your VPN clients to access VPN servers, its not the same thing as hosting.  If you want your router to auto connect to a VPN server (which is more common) that is something different.  VPN clients connect to VPN servers.  VPN clients are normally installed on your personal devices or your router.  VPN servers are geographically located somewhere else and on someone else's network.

• NAT, DMZ single interface two firewalls... Create Edge topology

  Hello,
  I have a two firewall DMZ so I'm strugging  to understand why the toplogy builder is asking me for the "Internal" IP of the edge server...  the edge server is not internal (by design) it's in the perimeter network (DMZ) it does not
  have an internal interface nor am I interested in giving it one (that's why I have firewalls).... Its NAT'd..
  Is this explained somewhere ? How do I setup the topology wizard to understand my  firewall configuration.. I see the NAT'd external IP.. obviously that's on the public side...
  Thanks for help,
  Steve Lithgow

  Anthony's two posts win the PRIZE !  Ben get's runner-up !
  It still baffles me why it is necessary to have an additional network in my DMZ. You are not increasing your level of security by increasing the complexity (security by obfuscation).   The internal network can have persistent routes to the
  DMZ IP of the Edge Server as well as firewall rules governing traffic by source IP to the internal network from the DMZ.  A host with two interfaces that becomes compromised is no more secure than one with a single interface.  Our firewall rules 
  are not based on "networks" to from DMZ.. they are based on source/destination IP's.
  So basically..  my point is MS should not ASSume a particular firewall configuration and force this via the Topology builder... just my .02  
  Can anyone tell me if MS is doing some memory level protection in the Edge server to that masks the external facing process from internal ones or something really special?  My guess is that the edge server is NOT ISA/TMG so......
  To someone else's point..   that stated "You don't want the edge server to be your firewall"  my response is you dang right ! But... in essence that is what you are doing by placing an internal interface on the edge server , firewall rules/routes
  or not.  That is what you are doing is  creating a firewall leg on the edge server. 
  Thanks for all then FAST help !  Though I 'm still shaking my head a bit....
  Steve Lithgow

• Trouble with SPDIF Passthrough and the Audig

  I have a Sound Blaster Audigy 2 from Dell and am trying to connect it to Logitech Z-680 speakers. I want to use digital surround sound. I found the instructions on how to do this on Logitech's site. However, I have a problem.
  Step 2 states to go to Audio HQ, select 'Device Controls' and then select the 'decoder tab'. My Device Controls does not have a 'decoder tab' nor does it have a 'SPDIF Passthrough' option that I can find. Where do I find the SPDIF Passthrough option?
  I have updated all of my drivers and Creative software as far as I can tell. In the Device Controls help it states: "Digital Input Settings is available only if you are using the Optical Digital I/O card or Sound Blaster Audigy 2 Dri've." Does this mean my Audigy 2 from Dell does not support optical out?!
  Any help is greatly appreciated.

  Janefoe,
  Since this card is OEM I would suggest contacting Dell at this time. You can then find out from them if this feature was included with this card and if so how to enable or disable SPDIF Passthrough.
  Jeremy

• New Qos and Firewalls URL Options for gamers for Win10

  This is more of a gamer thing.
  I'm wondering if there's a way to implement URLs ( instead of IPs ) with ports into Firewalls and QoS? Naturally I don't want to open ports for all IPs and determining all IPs for some sites, when there exist are multiple worlds, can't always be determined.
  It would be nice to say, for all *.SomeGame.com allow this port to be open.
  Additionally, if this rule is active, give it higher priority than video or voice....
  I have seen some gamer systems where their router and firewall have an open port for their games :\ Also, usually most gamers will have Skype/Twitch/Netflix/Hulu open whilst gaming. Naturally, they don't want lag for their games, and would prefer their gaming
  to have priority over any voice or video.

  You do not need to setup anything like that in any windows for gaming application...even if I running torrent + dc++ client I have no lags or freezes so on. So if you want to setup QoS just find appropriate guide for specific application. And
  btw URL's doesn't match game server IP's & port's ranges, so it is never been released under QoS development. Cause QoS is about how to manage your existing LAN bandwidth for applications on your OS installation.

• ISE and firewalls

  I have a Primary ISE node  (primary admin/monitoring/policy) sitting in network 192.168.1.0/24 and the Secondary ISE node (secondary admin/monitoring/policy) sitting in network 192.168.2.0/24.  There is a firewall sitting between these two networks.
  What TCP and UDP ports do I need to open on the firewalls so that these two nodes can communicate and sync with each other?  I AM ONLY INTERESTED IN THE TRAFFICS BETWEEN THESE TWO NODES and not other traffics to else where.
  I've read through the documentation and it seems that I only need a couple of tcp and udp ports for this.
  Any comments?
  Thank you  in advance.
  david

  David,
  AFAIU minimum of TCP/443 and TCP/1521  (and ICMP for hearbeat).
  http://www.cisco.com/en/US/partner/docs/security/ise/1.1/installation_guide/ise_app_e-ports.html
  M.

• NVGRE Gateway Security and Firewalls?

  Hi,
  I am setting up a Hyper-v NVGRE gateway on Windows Server 2012 R2. Now from what I have read the gateways have 3 NICs and one interface dedicated to public IP addresses, I haven't been able to find any information about how the gateways are secured.
  Can they be protected behind hardware firewalls?
  Are they already secured at the time of install out of the box?
  Do we have to use and configure the windows firewall on the gateway for protection?
  Any best practice out there, real like experience / examples or some documentation on this subject as I am struggling?
  Many thanks in advance.
  Microsoft Partner

  Hi,
  i have created some blogs on hyper-v.nu about nvgre gateway.
  My recommendation:
  Put the gateway Hyper-V host and GW VM's in a separate domain.
  Connect the GW VM's directly to internet.
  Enable the Windows Firewall. look after the Network Connection Profile as there are different rule sets for Private, Public and Domain rules. Make sure the external interface is marked as public profile. If you use the toolkit i created for GW deployment
  its configured for you.
  if your company policy doesn't allow to directly connect to the internet put firewall in front, but transparently, or create a public subnet behind that firewall so your GW VM's have public ip's.
  Only use inspection on traffic (IDS), don't block it, if you really need to, create a common allow list for regular ports. Otherwise tenants need to open service requests at your helpdesk to open ports if they want to publish application via a NAT
  rule.
  since you put the hosts and GW VM's in a separate domain you managed to separate it from your management domain, what is in my sense the best practice.
  Use 3th party NVGRE vendors like Boudewijn mentioned as BIG IP F5.
  Best regards, Mark Scholman. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• XMPPGateway and Firewalls - can't connect to googletalk

  This has myself (the developer) and the firewall guys really
  stumped. I am trying to use talk.google IM service to launch an IM
  bot using the CF gateways. Everything works well on my local
  install of CF server but once we move it to our dev server and
  setup up the instance, the gateway cannot connect to talk.google.
  Firewalls have port 5222 wide open. AND.... I downloaded the
  gtalk client onto the server and it connects through that without
  issue. Does anyone have any idea?
  the error in the logs is "XMPPGateway (xxxx) Error trying to
  connect to talk.google.com: Connection failed. No response from
  server."
  pertinent config settings are:
  resourceName=ColdFusion
  secureprotocol=TSL
  securerequirement=false
  serverip=talk.google.com
  serverport=5222

  Wow, not 2 minutes after I posted this I figured it out. I had to go into Server Preferences and in there was able to turn on file sharing. So that was stupid of me and an easy fix. Now it can be accessed easily from the imac and macbook.
  Sorry for the waste of space.

• No devices in DMZ drop down and PORT forward does ...

  Hi,
  We have just purchased B.T broadband with the new home hub, we have set up our hub/router the same as our old one with the correct ports forwarded for exchange to work and remote web space, it all works internally accessing the address but nothing works externally, emails don't get through etc..
  Any ideas?
  Also why does my device not appear in the DMZ drop down?
  Much appreciated any help, thanks a lot

  The home hub firewall will offer no protection to a device in the DMZ, as all incoming ports will be forwarded to the device.
  All you will be left with is the normal NAT function, which is needed to provide a range of local IP adresses.
  If you look at my security page, you will see there is a website you can use to find open ports.
  You may find it better to use a router which supports local loopback.
  There are some useful help pages here, for BT Broadband customers only, on my personal website.
  BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

• RV220W DMZ not working and protocol 41 packets not forwarded

  After fighting a brand new RV220W for hours I am just about giving up on it.
  It does not forward anything the to the DMZ server including the IP protocol 41 packets needed for our IPv6 6in4 tunnel.
  Nor does it send protocol 41 packets to the WAN.
  TCP and UDP packets are only forwarded to the DMZ server if specifically done by a firewall rule.
  CISCO support was not able to solve the problem after half an hour on the phone.
  Factory resets and absolutely minimal configuration changes have been tried to no avail.
  Firmware is 1.0.1.0.
  The hairpinning problem as well as the weird time problem cause by ticking the daylight savings box has been observed as well.
  Should I return this thing having learned that CISCO quality is a thing of the past ?
  The Netgear WNDR3700 it was supposed to replace, due to the SNMP support found in this router, happily forwards packets at half the price.

  Manually creating a firewall rule with protocol 41 in the backup config file and restoring it makes no difference.
  (A new checksum for the configuration file may be generated by md5sum when the checksum line has been deleted)
  Default should be to route all IP packets regardless of protocol number to the DMZ server, when DMZ is enabled. Now the router returns a ICMP port unreachable message to the WAN sender.
  Update:
  The problem is only present when the dual stack IPv4/IPv6 feature is enabled, so after all it may be a bug and not a design decision. Waiting for Cisco support to verify/advice on this.
  BTW it is unbelievable, that the configuration file (plain text) saved by the backup function in the router cannot be read / used by Cisco suppport. They can only handle something which can be displayed in a browser (sic!)
  Update 2:
  Further testing has shown, that the option of forwarding of protocol 41 packets for 6in4 tunnels in any mode (IPv4 only or IPv4/IPv6) is randomly enabled. Sometimes suddenly working after 30 minutes. At other times not at all even after a reboot. Occasionally it has been working in both modes.
  I have provided information about this to CISCO.
  Cisco support has recognized this to be a problem of the current software 1.0.1.0 and is issuing a refund of the router.

• Multiple IPs and firewalls

  I'm wondering if it's possible to create multiple firewalls in Mountain Lion server. I have four IP addresses on one server, all on the same LAN, and I want to restrict specific traffic to specific TCP/UDP ports (e.g. only mail ports on IP X, web services on IP Y, and VPN services on IP Z, etc.).
  Is it possible to create multiple firewalls on each port so that I can restrict network traffic in this manner? Or is there a better way to do this from the start?
  Thanks!

  Use pfctl (see: man pfctl)

• BT Infinity and Firewalls

  Hi,
  I'm interested in ordering the BT Infinity option 2, however I have noticed the BT website makes it quite clear that no other networking equipment (routers in specific) is compatible with the service.
  The reason I am posting, is because I have a Juniper SSG20 firewall and a spare Draytek 2955, which is capable of dealing with more than 1 WAN (untrust) connection, and is much more expensive and will definitely be much better grade of equipment than the BT Infinity Home Hub.  I have no need for the home hub, and made it clear when I last spoke to Sales about this but they are adamant that I need the home hub because the modem is "special".
  Now, I understand that you might be concerned for sake of providing technical support and quality of service in the case where a customer wants to attach for instance any of the other consumer-grade equipment to the modem, however these firewall/routers I've got is business grade, have a good reputation for reliability and also will deal with much more bandwidth at a much lower latency than the other equipment I have tested (including the Home Hub 2.0).
  From what I can see and read on the net this is pretty much a bog-standard VDSL2 modem with an ethernet WAN interface.
  Thus, I want to know whether it would be possible to take out the Infinity home hub and use Bridging on the WAN connection from the Openreach modem to one of my firewalls in order to establish a connection instead of using the Home Hub.
  I'm an IT engineer with more than 13 years of experience and I don't need BT to help me configure the Juniper/Draytek as I'm perfectly capable of doing that myself and will never need to call them for assistance. 
  v
  Solved!
  Go to Solution.

  VeeMan
  'If you have a router that supports Ethernet WAN, you may use this in place of the
  BT Home Hub. Please bear in mind, though, that our helpdesk can’t help with
  connection problems if you’re using a non-BT-supplied router.'
  Thats directly from the HH Infinity manual, the modem is owned by Openreach so you have to use it.

• S/PDIF passthrough and DDL

  I'm running a creative audigy with DDL acti've, and anytime I want to switch to S/PDIF passthrough when watching movies, I have to go through the audio console and turn off DDL first. Is there any way around this so that I don't have to use the audio console to switch between these modes?
  With my old realtek cards this used to be unnecessary, I could see VLC switching to S/PDIF passthrough automatically without the need to turn off DDL first, and when it was done, DDL would take over again. How can I get the same behavior from creative cards? Or is this just another limitation of creatives crappy drivers?

  I have similar issues in Windows 7 x64
  My sound card is a first gen Xtreme Music, so it supports Dolby/DTS decoding. I am able to enable this by going into the sound options of my DVD program and select SPDIF Passthrough. To do the same in?Windows Media Player , I would click the Advanced button under the DVD tab in WMP options. So then when I watch a DVD, a box would pop up in the bottom right corner telling me if I was listening to DD, Pro Logic, or DD Ex.
  So what I want to know is how I can do the same in Windows 7? My DVD program?I used before breaks in?Windows 7. In WMP 2, that Advanced button I mentioned earlier is grayed out. Am I missing something? I have the latest Creative driver installed.