Sign in or 
Share this
Chapter 3 - Publicly Addressed DMZ Infrastructure
Publicly Addressed DMZ Infrastructure
In this architecture, the DMZ occupies a publicly addressable IP address space. The load balancers perform NAT and pass packets to the web servers that reside in a private and non-routable (RFC 1918) internet address space. This configuration should be used if the DMZ has to be shared with non-NATable services, such as IPSec and Kerberos. The diagram below shows only the modified portion of the infrastructure. The application and database servers in the infrastructure are the same as NAT DMZ infrastructure and have not been shown. .Physical Layout
- The following diagram includes these elements:
- A redundant ISP provider connection for high availability.
- Redundant routers 1 and 2 to connect to the internet.
- Redundant three-prong firewalls 1 and 2 to connect the corporate network to the DMZ.
- Redundant load balancers 1 and 2 to perform NAT and load-balance requests to web servers 1 and 2.
- Redundant load balancers 3 and 4 to load-balance outbound PIA requests to forward proxy servers 1 and 2.
- Web servers 1 and 2 that communicate to application servers not shown in the diagram.
| Unit | Router 1 (Active) | Router 2 (Standby) |
| IP Address | 123.123.122.2 | 123.123.122.3 |
| Subnet Mask | 255.255.255.0 | 255.255.255.0 |
| Packet filters (only if available) | Allow only HTTP/HTTPS to PeopleSoft system. If PeopleSoft portal is to call outside, allow HTTP/HTTPS to outside from PeopleSoft system. Allow rules as needed by other non-PeopleSoft systems. | Same as Unit 1. |
Firewall Setup
| Unit | Firewall 1 (Active) | Firewall 2 (Active) |
| IP Address 1 | 123.123.122.6 | 123.123.122.7 |
| Subnet Mask 1 | 255.255.255.0 | 255.255.255.0 |
| Shared Address 1 | 123.123.122.5 | 123.123.122.5 |
| Default Route 1 | 123.123.122.1 | 123.123.122.1 |
| IP Address 2 | 123.123.123.2 | 123.123.123.3 |
| Subnet Mask 2 | 255.255.255.0 | 255.255.255.0 |
| Shared Address 2 | 123.123.123.1 | 123.123.123.1 |
| Default Route 2 | None | None |
| IP Address 3 | * | * |
| Subnet Mask 3 | * | * |
| Shared Address 3 | * | * |
| Default Route 3 | None | None |
Note. Both firewall units have the same security setup.
Access to PIA/Portal from Outside
| Protocol | Transport Protocol | Source IP | Source Port | Destination IP | Destination Port | Action |
| HTTP | TCP | Any | 80 | 123.123.123.100 | 80 | Allow |
| HTTPS | TCP | Any | 443 | 123.123.123.100 | 443 | Allow |
Access to Outside from Portal/Application Messaging Service
| Protocol | Transport Protocol | Source IP | Source Port | Destination IP | Destination Port | Action |
| HTTP | TCP | 123.123.123.50 | Any | Any | Any | Allow |
| HTTPS | TCP | 123.123.123.50 | Any | Any | Any | Allow |
| HTTP | TCP | 123.123.123.60 | Any | Any | Any | Allow |
| HTTPS | TCP | 123.123.123.60 | Any | Any | Any | Allow |
Access to Provider’s DNS Server from Local DNS Server
| Protocol | Transport Protocol | Source IP | Source Port | Destination IP | Destination Port | Action |
| DNS1 | UDP | Local DNS | Any | Provider’s DNS | 53 | Allow |
| DNS1 | TCP | Local DNS | Any | Provider’s DNS | 53 | Allow |
Web Server Load Balancer Setup
| Unit | Load Balancer 1 (Active) | Load Balancer 2 (Standby) |
| IP Address (VLAN1/0) | 123.123.123.6 | 123.123.123.7 |
| Subnet Mask | 255.255.255.0 | 255.255.255.0 |
| Shared Address | 123.123.123.5 | 123.123.123.5 |
| Default Route | 123.123.123.1 | 123.123.123.1 |
| IP Address (VLAN1/1) | 10.0.0.2 | 10.0.0.3 |
| Subnet Mask | 255.255.255.0 | 255.255.255.0 |
| Shared Address | 10.0.0.1 | 10.0.0.1 |
| Virtual IP (portal.corp.com) | 123.123.123.100 | 123.123.123.100 |
| HTTP Service Port | 80 | 80 |
| HTTPS Service Port | 443 | 443 |
| HTTP Persistence (sticky) | Load Balancer Cookie | Load Balancer Cookie |
| HTTPS Persistence (sticky) | Load Balancer SSL Sticky | Load Balancer SSL Sticky |
Static Address Mapping for Inbound Load Balancer NAT
| External IP Address | Transport Protocol | External Port | Internal Address | Internal Port |
| 123.123.123.100 | TCP | 80 | 10.0.0.100 | 80 |
| 123.123.123.100 | TCP | 443 | 10.0.0.100 | 443 |
Static Address Mapping for Outbound Load Balancer Reverse NAT
| Source IP | Transport Protocol | Source Port | Translated IP | Translated Port |
| 10.0.0.50 | TCP | Any | 123.123.123.50 | Any |
| 10.0.0.60 | TCP | Any | 123.123.123.60 | Any |
Web Server Setup The configuration parameters vary based on the web server clustering scheme selected.
| Unit | WebHost1:Instance1 | WebHost1:Instance2 | WebHost2:Instance1 | WebHost2:Instance2 |
| IP Address 1 | * | * | * | * |
| Subnet Mask 1 | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 |
| Default Route 1 | 10.0.0.1 | 10.0.0.1 | 10.0.0.1 | 10.0.0.1 |
| HTTP Port | * | * | * | * |
| HTTPS Port | * | * | * | * |
| IP Address 2 | 10.0.1.10 | 10.0.1.10 | 10.0.1.20 | 10.0.1.20 |
| Subnet Mask 2 | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 |
| DefaultRoute 21 | 10.0.1.50 | 10.0.1.50 | 10.0.1.50 | 10.0.1.50 |
gregkelly |
Latest page update: made by gregkelly
, Feb 25 2009, 12:12 PM EST
(about this update
About This Update
Edited by gregkelly
524 words added 6 words deleted 2 images added view changes - complete history) |
|
Keyword tags:
None
More Info: links to this page
|
There are no threads for this page.
Be the first to start a new thread.
