Configuring access to the DMZ takes place on the Partners tab of the Location form, using two partner configurations. DMZ to Internet Access controls traffic between computers on the Internet/WAN and the DMZ, and LAN to DMZ Access controls traffic between computers on your LAN and the DMZ.
By default, to protect the LAN, the default Firewall Policies for these partners are set to deny all traffic. Your DMZ configuration must explicitly allow traffic to enter and leave the DMZ. Before accessing the Partners tab, ensure that the DMZ to Internet and LAN to DMZ Firewall Policies, or any other Firewall Policies that you will be using, are configured to allow the correct traffic to traverse the firewall.
If the gateway is providing security only between the Internet and the DMZ, you only need to configure the DMZ to Internet Access partner.
If the gateway is providing security only between the DMZ and the LAN, you only need to configure the LAN to DMZ Access partner.
To edit the DMZ to Internet Access or LAN to DMZ Access partner, select the partner and click Edit.
On the Edit Partner screen that is displayed, you will only have the ability to create, edit, and delete tubes. If you selected Yes on the Default DMZ to Internet Access Tube dialog box when first enabling your DMZ interface on the Network tab, by default, a tube will be defined for the DMZ to Internet Access partner that permits traffic between the Internet and the entire Default User Group – DMZ using the DMZ to Internet Firewall Policy.
Similarly, if you selected Yes on the LAN to DMZ Access Tube dialog box when first enabling your DMZ interface, a tube will be defined for the LAN to DMZ Access partner that permits traffic between the LAN and the entire Default User Group – DMZ using the LAN to DMZ Firewall Policy.
You can edit these tubes or add new tubes to refine DMZ permissions.
For either access partner, to add a new tube, click Add. The Add Tube screen will be displayed.
On this screen, create a tube for the DMZ to Internet Access partner as follows:
Tube Display Name: (Optional) Enter a name for the tube in this field.
Local Side of Tube: This section defines the local side of the tube.
User Group: Select User Group if you would like a local User Group to participate in this tube. Choose the User Group from the adjacent pull-down menu. Only those User Groups that are within the DMZ will be available for selection.
When the User Group option is selected, you can define what traffic you will allow to enter and leave between the DMZ User Group and the Internet. The following Firewall Policy option is available:
Firewall Policy on Tube: Select a Firewall Policy that you would like to apply to traffic traveling between this User Group and the Internet.
Below this option are the following additional fields:
Firewall Policy on User Group: If there is a Firewall Policy that was enabled when defining the selected User Group and always applies to this User Group, the Firewall Policy will be displayed in this field.
Default Firewall Policy: The default firewall policy for this type of connection will be displayed in this field. For example, DMZ to Internet.
All three Firewall Policies are listed here to remind you that Firewall Policies will be enforced on the connection in this order: Tube Firewall Policy, User Group Firewall Policy, and then Default Firewall Policy.
Application: Select Application if you would like a local application to participate in this tube. Choose the application from the adjacent pull-down menu. Only those applications whose servers are in the DMZ (in other words, their server IP addresses fall within the address ranges of the Default User Group – DMZ) will be available for selection.
Remote Side of Tube: This section defines the remote side of the tube. For a DMZ to Internet Access tube, the remote side is either the Internet or local User Groups/applications that are not participating in the Corente Services network.
User Group: Select User Group if you would like a remote User Group to participate in this tube. The pulldown menu will list two kinds of User Groups: an "All Internet" User Group and local User Groups that are defined for this Location that are not participating in the secure Corente Services network.
Application: Select Application if you would like a remote application to participate in this tube. The pulldown menu will list only those local applications defined for this Location that are not participating in the secure network and that are not served from servers residing in the DMZ (as defined by the Default User Group – DMZ).
Outbound QoS: This section enables you to configure Quality of Service (QoS) settings for the outbound traffic on this tube. For example, traffic from the DMZ to the Internet. QoS settings are viewable and configurable with the Quality of Service feature in App Net Manager.
Setting on Tube: Choose a QoS entry from the pull-down menu to specify the priority of traffic outbound on this tube.
NoteAs when performing any sort of QoS configuration, administrators must be careful when assigning QoS levels because if there is too much high priority traffic, any other traffic with a lower level of priority may become too slow or even be dropped. In addition, you cannot use QoS to prioritize traffic to or from a Corente Client.
Setting on User Group: If there is an Outbound QoS Setting that was enabled when defining the selected User Group or Application and always applies to this User Group or Application, the Outbound QoS Setting will be displayed in this field. This field is displayed to remind you that QoS settings will be enforced on the connection in this order: Tube QoS setting and then User Group QoS setting.
Inbound QoS: This section enables you to configure QoS settings for the inbound traffic on this tube, such as traffic to the DMZ from the Internet.
Setting on Tube: Choose a QoS entry from the pull-down menu to specify the priority of traffic inbound on this tube.
Setting on User Group: If there is an Inbound QoS Setting that was enabled when defining the selected User Group/application and always applies to this User Group/application, the Inbound QoS Setting will be displayed in this field. This field is displayed to remind you that QoS settings will be enforced on the connection in this order: Tube QoS setting and then User Group QoS setting.
Via Interface or Interface Alias: Choose the WAN interface or a WAN interface alias from the Interface/Alias pull-down menu. This will enforce the rules of this tube only for traffic that is destined for the interface or address that you have chosen. If necessary, you can create alias addresses on the Network tab.
When you have finished defining the tube, select OK to store your changes or Cancel to close the screen and discard your changes. The new tube will appear in the Tubes table.
On this screen, create a tube for the LAN to DMZ Access partner as follows:
Tube Display Name: If you would like, enter a name for the tube in this field.
Local Side of Tube: This section defines the local side of the tube.
User Group: Select User Group if you would like a local User Group to participate in this tube. Choose the User Group from the adjacent pull-down menu, which will list all local User Groups that have been defined for the LAN. In other words, all non-DMZ User Groups.
When the User Group option is selected, you can define what traffic you will allow to enter and leave your LAN between the local side and the DMZ. The following Firewall Policy option is enabled:
Firewall Policy on Tube: Select a Firewall Policy that you would like to apply to traffic traveling between this User Group and the DMZ.
Below this option are the following additional fields:
Firewall Policy on User Group: If there is a Firewall Policy that was enabled when defining the selected User Group and always applies to this User Group, the Firewall Policy will be displayed in this field.
Default Firewall Policy: The default firewall policy for this type of connection will be displayed in this field. For example, LAN to DMZ.
All three Firewall Policies are listed here to remind you that Firewall Policies will be enforced on the connection in this order: Tube Firewall Policy, User Group Firewall Policy, and then Default Firewall Policy.
Application: Select Application if you would like a local application to participate in this tube. Choose the application from the adjacent pull-down menu, which will list all local applications that have been defined for the LAN. In other words, all non-DMZ applications.
Remote Side of Tube: This section defines the remote side of the tube (the DMZ).
User Group: Select User Group if you would like a DMZ User Group to participate in this tube. The pulldown menu will list the Default User Group – DMZ as well as any User Groups you have defined that contain addresses within the DMZ.
Application: Select Application if you would like a remote application to participate in this tube. Choose the application from the adjacent pull-down menu. Only those applications whose servers are in the DMZ are available for selection. In other words, their server IP addresses fall within the address ranges of the Default User Group – DMZ.
Outbound QoS: This section enables you to configure Quality of Service (QoS) settings to the outbound traffic on this tube.
Setting on Tube: Choose a QoS entry from the pull-down menu to specify the priority of traffic outbound from the LAN on this tube.
Setting on User Group: If there is an Outbound QoS Setting that was enabled when defining the selected User Group/application and always applies to this User Group/application, the Outbound QoS Setting will be displayed in this field. This field is displayed to remind you that QoS settings will be enforced on the connection in this order: Tube QoS setting and then User Group QoS setting.
Inbound QoS: This section enables you to configure QoS settings to the inbound traffic on this tube.
Setting on Tube: Choose a QoS entry from the pull-down menu to specify the priority of traffic inbound from the LAN on this tube.
Setting on User Group: If there is an Inbound QoS Setting that was enabled when defining the selected User Group or Application and always applies to this User Group or Application, the Inbound QoS Setting will be displayed in this field. This field is displayed to remind you that QoS settings will be enforced on the connection in this order: Tube QoS setting and then User Group QoS setting.
When you have finished defining the tube, select OK to store your changes or Cancel to close the screen and discard your changes. The new tube will appear in the Tubes table.