Hello Endian Gurus,
I'm new to Endian (but not firewalls), and am trying to switch over from Untangle to Endian (interface/logging is just so much better).
My biggest concern right now is the inability to easily set up webservers within the GREEN network. I know that's not usually something you want to do, but there are definitely scenarios where that's just how it needs to be done. I've just never come across a firewall that didn't know how to respond to it's own RED IP from an internal request, or is so strict in having no access between the RED and computers on GREEN.
For the most part, I am looking at adding virtual NICs to our web-accessible systems and having one in GREEN, and one in DMZ. My testing with a systems shows that this does work and it allows the GREEN clients and RED clients to get access to our hosted services. You guys know all of this already, I'm just being verbose because it's 2AM.
So, I'm drawing out these network diagrams for our network and the web services that are being used (Exchange/IIS/Apache/etc). And while IIS/Apache are easy to add to the DMZ network, and just let the EFW handle everything, I'm not so sure about Exchange. I believe this is where SMTP proxy comes in to play? Does that also handle SMTP over SSL?
I do plan on moving all web-facing servers to the DMZ side, but how do I deal with them in the interim? Do you think adding a second NIC (or IP if on same physical network) would resolve most issues regarding users in the GREEN network being unable to access web servers that are also in GREEN?
I know I can setup DNS records and have them access web.company.com via GREEN IP, but we have a servers that are dual-hosting Apache and IIS (Port 8080/80) and translating two RED IPs to go to port 8080 or 80, respectively. How would you suggest handling this type of scenario?
So ulimately the questions I'm trying to answer is:
How can I access servers that need to exist in GREEN and DMZ, using their true external IP (because you can't port forward via DNS).
WAN (123.1.1.17-31/28)
|
EFW --- DMZ (192.168.200.1/24) --- Server1 (192.168.200.2)
|
GREEN (192.168.1.1/24)
|
+--- Server1 (192.168.1.2)