Microsoft KB Archive/191146

= How to Create a DMZ Network with Proxy Server 2.0 =

Article ID: 191146

Article Last Modified on 10/19/2000

-

APPLIES TO


 * Microsoft Proxy Server 2.0 Standard Edition

-



This article was previously published under Q191146



SUMMARY
This article explains how to create a so-called DMZ network using Microsoft Proxy Server 2.0. A DMZ (demilitarized zone) is essentially a network that exists between two other networks. Usually the two other networks do not trust each other.



MORE INFORMATION
A DMZ is generally used with Microsoft Proxy Server when the Server Proxy and Reverse Proxy features cannot be used. If you are using an Apple, UNIX, OS/2, or other operating system and you are not publishing HTTP, configuring a DMZ network is recommended.

NOTE: The Server Proxy feature works only with applications on the Microsoft Windows platform; the Reverse Proxy feature works only with HTTP servers. If your application runs on Windows, it is recommended that you use the Server Proxy or Reverse Proxy features to publish from behind the Proxy Server computer. More information about these features can be found in the "Configuring Multi-server Environments" section of the Microsoft Proxy Server 2.0 documentation.

The following example demonstrates how to create a DMZ with a Proxy Server computer.

Network Layout
The three networks are separate physical segments connected to a Microsoft Proxy Server 2.0 computer using three network cards (NIC).

Network A = Internet

Network B = DMZ

Network C = Private intranet

Because Network B (DMZ) is partially trusted by Network C, and Network C does not trust Network A, the DMZ should be protected. The Proxy Server 2.0 packet filter driver protects networks B and C, because it filters all traffic that passes through the NIC on network A.

DMZ Implementation
 Install Microsoft Proxy Server 2.0 on a three NIC computer (one for each network: intranet, Internet, and DMZ). Be sure to select the Disable Packet Filtering option in the Proxy Server settings.

The Internet and DMZ networks must have valid Internet Protocol (IP) addresses, and these addresses must be on different logical subnets in order for routing to function.

The intranet NIC and DMZ NIC TCP/IP addresses must be included in the Proxy Server computer's Local Address Table (LAT).

Any servers on the DMZ segment must also use a valid IP address and must not be included in the LAT on the Proxy Server computer. Enable IP forwarding on the Proxy Server computer. After this is enabled, computers on the Internet segment should be able to ping servers on the DMZ segment.

If you are unable to ping from the Internet segment to the DMZ segment, verify that your Internet router or gateway has a valid route to your DMZ segment. If not, you must manually add a static route to the Internet router. If the router is managed by your Internet Service Provider, the ISP will have to make this change for you. The default gateway addresses of computers located on the DMZ network should be set to the address of the DMZ NIC on the Proxy Server computer. Enable Packet Filtering on the Proxy Server computer. You should open all relevant static filters (to enable traffic between the Internet and the DMZ computers). To do this, you must manually create packet filter exceptions or use predefined packet filters in the Proxy Server security settings and specify the address of the computer(s) on the DMZ network.

For example, if you have a UNIX computer on the DMZ and you want> Internet hosts to connect to it using Telnet, the following packet filter would allow Telnet connections through but block all other connections to the UNIX server:

DMZ UNIX server IP address = 172.16.0.1

 In the Proxy Server security dialog box, select Add to add a packet filter exception.  Use either of the following Packet Filter properties as examples:      Custom filter -     Protocol ID:  TCP Direction:   BOTH Remote Port: ANY Local port:  FIXED PORT 23 Local host:  INTERNAL COMPUTER 172.16.0.1 Remote host: ANY HOST (single host can be used for added security)

HTTP Protocol ID: TCP Direction:   BOTH Remote Port: ANY Local port:  FIXED PORT 80 Local host:  INTERNAL COMPUTER 172.16.0.1 Remote host: ANY HOST (single host can be used for added security) </li></ol>

Additional query words: localhost address host private forwarding

Keywords: kbhowto kbfaq KB191146

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.