Announcement

Collapse
No announcement yet.

How to get to the internal firewall from the external one

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to get to the internal firewall from the external one

    Hello,

    I am studying AD FS , and I read that the Proxy must be placed between two firewall, for security reasons.

    So, I made a picture, which I attach, because I don't understand how the non-AD FS-related traffic can be directed from the external traffic to the internal one.

    I mean: How can, for instance, smtp traffic get to the LAN ?

    Thanks in advance.
    Attached Files
    -
    Madrid (Spain).

  • #2
    Enterprise/SME class firewalls generally route based on protocols and/or ports. SMTP traffic will come in on port 25 from the internet, so can be routed from the edge firewall to the secondary firewall directly and then routed to the email server.

    ADFS traffic comes in over port 443 IIRC, so can be routed directly to the proxy server. The proxy server will also be allowed access on port 443 through the internal firewall to the internal ADFS server.

    Many large organisations will also use multiple external IP addresses, particularly where they host multiple SSL websites as these can't generally co-exist due to certificate requirements. So requests for adfs.company.com will be on 1.1.1.1, owa.company.com on 1.1.1.2 and so on.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Thanks Cruachan,


      ​So, in the image I attach, should I place a router between the external and the internal firewall ?
      -
      Madrid (Spain).

      Comment


      • #4
        No, the edge/front firewall will choose where to route traffic which will be either the DMZ ADFS server or the back firewall, or drop it if it's an unrecognised/unauthorised request.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          But the edge firewall sits in 1.0/24 , the internal one on 2.0/24 ( in the image I attach above )
          -
          Madrid (Spain).

          Comment


          • #6
            The rules will be set on the edge firewall for what gets routed where. So a request for the ADFS server will go to the 1.0.0.0/24 network, but a request for anything on the 2.0.0.0/24 network will be sent to the external IP address of the internal firewall, where it will be routed or blocked or dropped accordingly.

            In your diagram, the ADFS server shouldn't really be shown as dual-homed. Rather, there should be a switch for the 1.0.0.0/24 subnet with the internal NIC of the edge firewall, the external NIC of the internal firewall and the NIC of the ADFS server connected to it.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment


            • #7
              I see, thanks once again!
              -
              Madrid (Spain).

              Comment

              Working...
              X