Good Day:
We are implementing an IIS server as a front end for a SQL application. This is what I've done thus far.
The IIS is running on a dedicated server box, Win Server 2016. It is located in an isolated DMZ. There is endpoint protection software on the server.
The external IP address is already DNS-ed. say www.myapp.com, to a static IP on a block from our ISP
Since we have a dual internet connection, I also have DNS-ed an IP on the backup ISP, say www.myapp-alt.com. This would be used if our primary had an outage (fiber cut or whatever).I have both ISP connections set to active in the Uplink Balancing, but no multipath rules set - letting it figure things out itself.
We are using a non-standard port - say 27105
We have an EV SSL certificate already installed.
I have a DNAT set up for the www.myapp.com IP address to translate to the internal address, using the 27105 port (no port translation, the IIS is set to use that port).
There is also a SNAT to translate back.
Lower on the list is a DNAT for the www.myapp-alt.com to translate to the same internal IP, same port, and an accompanying SNAT to go out.
I have a firewall rule (didn't use the auto firewall rules in the NAT) to allow incoming port 27105 to the internal IIS IP address. There is also a rule allowing the IIS server to go out to the internet for some common protocols (https, etc. etc.). It's getting DNS from the Sophos, and NTP from our GPS clock.
There is also a firewall rule allowing the IIS box to communicate with the SQL server, which is in a different VLAN.
I can connect from external to https://www.myapp.com:27105 and https://www.myapp-alt.com:27105, and it shows the SSL lock, etc.
There is a place (can't think of where it's located on the GUI) where you tell the firewall what your SQL, IIS, etc. servers are (if I remember correctly to cut false positives??).
Am I missing anything? Is there anything more I can do to lock it down?
John S.
This thread was automatically locked due to age.
