How to Create a DMZ Network with Proxy Server 2.0

ID: Q191146

The information in this article applies to:
  • Microsoft Proxy Server version 2.0

SUMMARY

This article explains how to create a so-called DMZ network using Microsoft Proxy Server 2.0. A DMZ (demilitarized zone) is essentially a network that exists between two other networks. Usually the two other networks do not trust each other.


MORE INFORMATION

A DMZ is generally used with Microsoft Proxy Server when the Server Proxy and Reverse Proxy features cannot be used. If you are using an Apple, UNIX, OS/2, or other operating system and you are not publishing HTTP, configuring a DMZ network is recommended.

NOTE: The Server Proxy feature works only with applications on the Microsoft Windows platform; the Reverse Proxy feature works only with HTTP servers. If your application runs on Windows, it is recommended that you use the Server Proxy or Reverse Proxy features to publish from behind the Proxy Server computer. More information about these features can be found in the [ASCII 147]Configuring Multi-server Environments[ASCII 148] section of the Microsoft Proxy Server 2.0 documentation.

The following example demonstrates how to create a DMZ with a Proxy Server computer.

Network Layout

The three networks are separate physical segments connected to a Microsoft Proxy Server 2.0 computer using three network cards (NIC).
Network A = Internet
Network B = DMZ
Network C = Private intranet
Because Network B (DMZ) is partially trusted by Network C, and Network C does not trust Network A, the DMZ should be protected. The Proxy Server 2.0 packet filter driver protects networks B and C, because it filters all traffic that passes through the NIC on network A.

DMZ Implementation

  1. Install Microsoft Proxy Server 2.0 on a three NIC computer (one for each network: intranet, Internet, and DMZ). Be sure to select the Disable Packet Filtering option in the Proxy Server settings.

    The Internet and DMZ networks must have valid Internet Protocol (IP) addresses, and these addresses must be on different logical subnets in order for routing to function.

    The intranet NIC and DMZ NIC TCP/IP addresses must be included in the Proxy Server computer's Local Address Table (LAT).

    Any servers on the DMZ segment must also use a valid IP address and must not be included in the LAT on the Proxy Server computer.


  2. Enable IP forwarding on the Proxy Server computer. After this is enabled, computers on the Internet segment should be able to ping servers on the DMZ segment.

    If you are unable to ping from the Internet segment to the DMZ segment, verify that your Internet router or gateway has a valid route to your DMZ segment. If not, you must manually add a static route to the Internet router. If the router is managed by your Internet Service Provider, the ISP will have to make this change for you.


  3. The default gateway addresses of computers located on the DMZ network should be set to the address of the DMZ NIC on the Proxy Server computer.


  4. Enable Packet Filtering on the Proxy Server computer. You should open all relevant static filters (to enable traffic between the Internet and the DMZ computers). To do this, you must manually create packet filter exceptions or use predefined packet filters in the Proxy Server security settings and specify the address of the computer(s) on the DMZ network.

    For example, if you have a UNIX computer on the DMZ and you want> Internet hosts to connect to it using Telnet, the following packet filter would allow Telnet connections through but block all other connections to the UNIX server:
    DMZ UNIX server IP address = 172.16.0.1


  5. In the Proxy Server security dialog box, select Add to add a packet filter exception.


  6. Use either of the following Packet Filter properties as examples: 
    
      Custom filter
      -------------
      Protocol ID:  TCP
      Direction:    BOTH
      Remote Port:  ANY
      Local port:   FIXED PORT 23
      Local host:   INTERNAL COMPUTER 172.16.0.1
      Remote host:  ANY HOST (single host can be used for added security)

      HTTP
      ----
      Protocol ID:  TCP
      Direction:    BOTH
      Remote Port:  ANY
      Local port:   FIXED PORT 80
      Local host:   INTERNAL COMPUTER 172.16.0.1
      Remote host:  ANY HOST (single host can be used for added security)


Additional query words: localhost address host private forwarding

Keywords : prx2faq kbfaq
Version : winnt:2.0
Platform : winnt
Issue type : kbhowto


Last Reviewed: June 10, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.