Domain controller in DMZ, firewall rules needed

Hi and welcome,

is your DC accessed from external to your company? Really depends on what your DC is used for?

If internal use only then a Source LAN -> Any DST DMZ -> Any -> All and maybe log traffic?

Ian

Hello, thanks,

The server's IIS is exposed to the outside. As per the services in them, its domain controller, iis service an file server.

I was looking to filtering communication between lan and dms to the bare minimum, this is how it is now in the mikrotik, we want to enhance the protection with the UTM, forwarding all traffic is not something i would feel confortable doing.

Hi,

instead of the allow all entry you can select from the drop down list those ports you wish to allow or even create your own port group.

Ian

Yes, what im lookin for is to know which specific rules/ports/protocols do I need to allow in firewall for this to work

Hi Lucho ,

You may create a firewall rules between two Zones.

1. DMZ  to WAN > Allow Ports to communicate with the WAN network i.e. Internet.

2. LAN to DMZ ,Allow comunication from Local Machines in the LAN zone to the server. 

You may segregiate the rule based on the ports required.

We do have a Predefined rules for all known ports ,also you may create your own List of Ports and Apply on the firewall rules. 

e.g. https://community.sophos.com/kb/en-us/123034